December 18, 2013

Nationwide retail giant Target is investigating a data breach potentially involving millions of customer credit and debit card records, multiple reliable sources tell KrebsOnSecurity. The sources said the breach appears to have begun on or around Black Friday 2013 — by far the busiest shopping day the year.

target

Update, Dec. 19: 8:20 a.m. ET: Target released a statement this morning confirming a breach, saying that 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013.

Original story;

According to sources at two different top 10 credit card issuers, the breach extends to nearly all Target locations nationwide, and involves the theft of data stored on the magnetic stripe of cards used at the stores.

Minneapolis, Minn. based Target Brands Inc. has not responded to multiple requests for comment. Representatives from MasterCard and Visa also could not be immediately reached for comment.

Both sources said the breach was initially thought to have extended from just after Thanksgiving 2013 to Dec. 6. But over the past few days, investigators have unearthed evidence that the breach extended at least an additional week — possibly as far as Dec. 15. According to sources, the breach affected an unknown number of Target customers who shopped at the company’s bricks-and-mortar stores during that timeframe.

“The breach window is definitely expanding,” said one anti-fraud analyst at a top ten U.S. bank card issuer who asked to remain anonymous. “We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized.”

There are no indications at this time that the breach affected customers who shopped at Target’s online stores. The type of data stolen — also known as “track data” — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs.

It’s not clear how many cards thieves may have stolen in the breach. But the sources I spoke with from two major card issuers said they have so far been notified by one of the credit card associations regarding more than one million of cards total from both issuers that were thought to have been compromised in the breach. A third source at a data breach investigation firm said it appears that “when all is said and done, this one will put its mark up there with some of the largest retail breaches to date.”

Some of the largest retailer breaches to date may help explain what happened in this case. In 2007, retailer TJX announced that its systems had been breached by hackers. The company later learned that thieves had used the store’s wireless networks to access systems at its Massachusetts headquarters that were used to store data related to payment card, check and return transactions at stores across the country, and that crooks had made off with data from more than 45 million customer credit and debit cards.

In 2009, credit card processor Heartland Payment Systems disclosed that thieves had broken into is internal card processing network, and installed malicious software that allowed them to steal track data on more than 130 million cards.

This is likely to be a fast-moving story. Stay tuned for updates as they become available.

Follow-up reporting on the Target breach:

Cards Stolen in Target Breach Flood Underground Markets

New Clues in the Target Breach

A First Look at the Target Intrusion, Malware

A Closer Look at the Target Malware, Part II

Fire Sale on Cards Stolen in Target Breach

Card Backlog Extends Pain from Target Breach

Target Hackers Broke in Via HVAC Company

Email Attack on Vendor Set Up Breach at Target

Who’s Selling Credit Cards Stolen from Target?

The Target Breach, By the Numbers

Inside Target Corp., Days After 2013 Breach


620 thoughts on “Sources: Target Investigating Data Breach

  1. Clyde Tolson

    Just like TJX, the FBI will certainly catch the crooks!

    1. Albatross

      You live in some kind of dream world, right? If these ‘crooks’ are based anywhere within FBI jurisdiction I’ll be surprised. I’m thinking Russia myself.

      1. Steve

        LOL. And when the Russians take that vacation to Dominican or Thailand they get nabbed at the airport. Happens _ALL_ the time. You don’t need to step foot into the US to end up in US custody.

  2. JCitizen

    Good thing I only shop Target online, and use a secure online credit card. They can go ahead and steal it,.they won’t get any money! >:D

        1. Larry McP

          Awesome…

          I did that once too. Phone started ringin’ off the hook from the card company’s fraud detection department… they said Mr. McP we need to change your card number. Makes sense!

          1. JCitizen

            Actually with these, that isn’t necessary. The number is worthless to anyone but the original vendor. This system got one of my online vendors in trouble, because of their sloppy security, and no criminal got any money! HA! 😀

            Now they can only take credit card over the phone, and the system flushes the number immediately after it is used. That way they know if it is an inside job, if they try it again. They (the crooks)will still not get any money.

          2. AgentPhunk

            I got a RoboCall once saying ‘your card has been compromised’ – please enter your card # to verify. So I just banged in a bunch of random digits, but it didn’t ‘take’ – probably because they were using the credit card # verification algorithm. So I looked online for ‘legitimate fake card #’s’ – i.e. ones that developers can use to test their code to see if the verification algorithm was working. Boom – the robovoice says ‘thank you.. click!’ Pretty cool if you think about it.

            1. JCitizen

              If another post of mine appears, I apologize! Something must be going wrong with this page.

          3. JCitizen

            Okay – 2nd attempt to reply – It is not necessary to change the number as it only works with the original vendor. They are throw away numbers, but since the crook can’t use it anyway, it can stay with the vendor forever.

            This system got one of my online vendors in trouble because of their sloppy security; but no crook ever got any money out of the deal! They almost lost their business with the card companies with that one. They can only process over the phone now, and since it isn’t retained – they will know if it is an inside job. The crook will still not get any money! HA! 😀

  3. Kevin

    I shopped instore multiple times during that span. I only used my Red Card. Would that mean I’m better off… or worse off… than people who used a normal credit card?

    1. stealthy

      Red card? If that’s also from Target, think of it this way: a card is a card is a card…….

      Or Target is Target …….

      All the fancy cards get is more things marketed to you .. more ‘rewards’ and other things designed to separate you from your money – plus interest.

      Change your account password – now! And make sure you don’t ever use the same password for more than one account. If you’ve done that, go change them all.

      1. Cvalencia

        The Red Card is directly linked to your checking account, right? I mean, you had to submit a VOID check in order to get the Red Card. So, you might be worse off as it might have a direct link to your checking account.

        Great question for Target!!

    2. Ted

      I also have a Red Card I use regularly and the debit account I have linked to it recently had $400 in fraudulent charges. I very rarely use the account linked to my Red Card so this might explain the fraudulent charges.

    3. SeaWolf

      If by Red Card you meant the store issued card, you’re probably in better shape than people who havd their branded credit card numbers skimmed. I can take a Visa, MasterCard, Amex, Discover anywhere… and if I had the PIN, I could get cash pretty quickly from a bank account. Of course, nothing official yet about what types of data stolen, but if full track made its way out, don’t rule out PIN numbers being stolen either. Perhaps not even by the same method/medium, but if someone got their hands in that deep into the cookie jar, expect that they took more than one cookie 🙂

      With the store issued card, you’d be limited to making fraudulent purchases at Target. Not saying that couldn’t happen (and that it wouldn’t hurt if you were autopaying from a checking account or something), but I’m guessing Target will be more than a little hyper vigilant about that in the coming months.

  4. Scott

    Brian,

    This is probably going to be a lot larger than TJX…do you think? We have all GOT to stay alert in our workplaces even if we have nothing to do with Information Security! Thanks as always for the great reporting!

    Scott

    1. BrianKrebs Post author

      No clue really. I have heard various numbers from people in the card-issuing business, but they are all guesses at this point, so I avoid printing them. But yes, if just two issuers were notified about more than a million cards total, it’s probably going to be fairly big.

      1. Cat

        BrianKrebs, Would you happen to know in your discovery who Target’s main Network Processor is ? Like Global Payments, First Data, TSYS. . .

        1. Jboots

          Larry McP – I have to disagree with you about smaller companies being less likely to be breached than larger ones. Being in the security industry we see this attitude all the time ” it’s not going to happen to me because I’m not big enough” and that’s part of the problem. The bad guys don’t care how big or small you are, if they can get into your systems and steal credit card data or personal information they will do it, guaranteed!!

          1. Larry McP

            Thanks Jboots- actually if you look at my post, my point wasn’t “it’s not going to happen to us because we’re not big enough”. My point was “it’s less likely to happen to us because we only have a single IT employee and he knows what he’s doing”. When you’re as big as Target, you’re going to have dozens of IT employees with access, meaning dozens of opportunities for someone to screw up and cause a breach.

            Re your other point “The bad guys don’t care how big or small you are, if they can get into your systems and steal credit card data they will do it”… yep, agreed. That is not related to the point I made, however.

      2. voksalna

        Brian, I think your definition of big is narrow here — while this may be a massive number of cards, it was discovered fairly quickly, and probably few cards were used or fenced successfully. The true monetary costs here will be for bank card reissuance (and the ID theft protection that isn’t ;)). Aside from possibly having no access to cards while cards are issued, consumers probably will be FAR less affected by this than by TJX. Which isn’t to say it wasn’t a massive breach, probably, just that it’s probably not a very *successful* one from a criminal standpoint.

        1. voksalna

          Added arguments against overhyping: (1) “dumps” have no inherent value in and of themselves; they are only useful if they are valid. Provided banks cancel these cards in a timely manner, damage will be limited. (2) Card numbers can be changed fairly easily, albeit at a cost; PII theft is far more damaging, as things like this (eg identification numbers and the like) cannot be changed and often have repeated consequences.

  5. Jason

    This will hit hard especially in places like the Midwest, where Target is much more prevalent than Walmart or other large retailers.

    I did a poll in our office here to see who hasn’t shopped at Target during that span and used a payment card, could not find a single person that hadn’t.

  6. Cat

    Thank you, BrianKrebs, you have done it again! Thorough reporting before anyone else! Outstanding work. I know that if I refresh constantly – the truth will emerge on this site before anywhere else.

  7. Nancy

    Well… This explains two compromised cards in two days. Got it straightened out without any actual loss of funds on my end. A PITA mostly.

    Thankfully my banks’ fraud alert systems worked. I woke up to one on a Sumday morning asking if I had made over $700 worth of World of Warcraft purchases that morning. Nope. Nor had I purchased nearly $1000 worth of gasoline 2 states away the day before….

  8. A

    If we had a chip-and-PIN system we would be more secure, right?

    1. Joachim V

      chip and PIN is great for issuers because it moves liability to the consumer. It can possibly reduce fraud, but chip and PIN still sends card data in the clear. That clear card data can still be used for online and physical fraudulent purchases. So chip and PIN doesn’t help unless that’s the only way to purchase data or the plaintext data cannot be used for purchase without the chip (not true today).

      I would rather see all merchants encrypt all payment data all the way through their networks and protect consumers that way.

      1. h

        Newer pinpads do just that… point to point encryption (p2pe). Card info is encrypted at the pinpad and decrypted at the host. The POS system never sees the unencrypted card number.

      2. JCitizen

        Not only that but your card becomes an RFID target – no telling what could happen then, even if the chip is encrypted – so what? Chips can be reprogrammed – what if they get wirelessly reprogrammed? I’m not familiar with the hardware, but I still see cheaper better solutions. As far as that goes, one static snap and it get EEPROMed!

        1. Joachim V

          While I’m not a big fan of Chip & PIN (EMV is the standard) the security on smart card chips used is pretty good. It is difficult to impossible to clone a single chip (perhaps $10K in the easiest case, up to $100K or more in more secure chips, more than it’s worth to crack a single chip as you have to do that effort every time). So I’m not worried about chip cloning attacks because its not likely. But, the EMV standard only authenticates your transaction and doesn’t require that authentication everywhere. So your card data (name, account number, expiration date) is still in the clear and can still be used for fraud.

          1. Cjd

            The problem here lies in backward compatibility. Almost all pin devices also are backwards compatible with magstrip, and almost all cards carry a mag strip as a backup. I have read a number of post on carder forums discussing how to destroy a chip and then rewrite the magstrip to circumvent the newer technology. When you consider the sheer number of devices needing to be replaced in the US, along with the number of cards, were looking at close to 10 years to phase out the magstrip, if not more, and that’s only after the standards issues are settled in the US. Without requirements from PCI, or federal regulation (once emv is a reality) making it a requirement for retailers to run magsteips by the employee, with the requirement to input the last 4 printed on the card, or similar, then CC fraud is here to stay in the US. Fixing the problem is a zero sum game to the players, IMO. Not to mention, how do you handle the burgen of costs for low margin businesses, and small issuers?? My company operates on tiny margins with about 2000 pos devices in place. It could kill us to have to make such a replacement overnight.

  9. BRIAN

    My credit was compromised just after Black Friday..only retailer I used that day was Target! If a giant retailer can’t keep their data secure what about all the smaller retailers out their?

    1. Larry McP

      You know what, I think in many cases a small retailer would actually be *less* likely to suffer a breach. I work at a small business where only one IT person (me) has access to the back-end system and customer data. As long as I don’t screw up and allow malware into the system, we’re safe.

      Compare that with a giant like Target, where they likely have dozens of IT staff who have access. The “attack surface” is much larger simply because of the increased number of IT employees who could make a careless mistake. It only takes one…

      1. Joachim V

        Agreed that smaller has less surface area to breach (especially if they are lucky to have a smart IT person behind them).

        But regardless of the size of the merchant, if you’re not taking advantage of end to end encryption that your processor offers, you’re a honeypot of gold to an attacker at any size.

        The largest growth in breaches in the past few years is small retailers and small restaurants.

        encryption protects everyone. and small merchants can least afford the fines of a breach and are more likely to be put out of business by one.

    2. Ebjay

      How do you know that your card wa compromised *after* Black Friday and not before?

  10. Ravi

    Brian,

    Excellent reporting as always, but I do want to make one important correction. PIN data is encrypted during a card authorization using a method called DUKPT (derived unique key per transaction). The rest of cardholder data is in the clear and can easily be intercepted.

    DUKPT is by no means infallible, but the base derivation encryption key would have to be compromised in order for a hacker to gain access to PIN numbers.

    Thanks for the information.

    1. achbed

      If they compromised the POS systems and altered the firmware on the readers, they can capture anything they want. And given that this is entire card stripe data who knows where the point of failure/access was at this point.

  11. Kelly

    So…what is the smartest thing to do here if we have used a card multiple times at Target within that time period, and we have not had any fraudulent charges made yet?

    1. PaulJohnson

      You card issuer (the bank you got it from) will let you know if you have to get issued a new one.

    2. Heron

      Look at your statements carefully, and call the card issuer right away if you notice any fraudulent charges.

    3. stephanie

      I called every single one of my credit card companies that I had used at Target and had them close that credit card number and are sending me new ones. Better safe than sorry.

  12. George G

    Brian,

    what do you mean by “company’s main street stores” ?
    Brick-and-mortar ?

    1. BrianKrebs Post author

      Yes. You’re the second person to ask that. Maybe I should change it to bricks-and-mortar. I didn’t want people confusing this with target.com.

      1. TheOreganoRouter.onion

        I saw “company’s main street store” and was confused also. You should have put “big box stores”

      2. f.tribaldos

        I like Big Box.. Conveys the concept better as Target is primarily a brick and mortar retailer.

  13. L

    Although free speech is a constitutional right. Inside sources at payment card processors giving confidential information to you is not. That my friend is illegal.

      1. L

        lol…Your investigation skills are stellar. Security guy…um no. Fellow reporter…yes.

    1. PaulJohnson

      it’s not illegal per sea. the card issuers (think pci which is industry driven not legally driven (aka by law)) are all private companies with private agreements with Target. If someone breached anything it would be a violation of some agreement, but not illegal. The news is out… stop crying over spilled mike and try to fix the problem instead.

        1. PaulJohnson

          grammar nazi… nice to have you here tonight. Good catch!

      1. voksalna

        I am worried about poor Mike actually. L is correct, but only if the highly selective powers-that-be decided to investigate who did it as a case of impeding an investigation by leaking potentially sensitive information regarding an ongoing investigation, but generally they won’t do this because they like selective prosecution. Failing that the company would have to figure out who their leak was and a civil complaint would be filed for monetary damages, which the person likely would not be able to pay anyway, so they’d likely just have little more than a dismissal case — this also would not happen, probably, because it would bring more negative PR. Life is not fair. But I agree with L.

  14. Ryan

    Both myself and my wife were caught up in this. We had both of our card numbers stolen. We were shopping at a Target in Florida on Black Friday and both of us were in separate lines to expedite the shopping but a week ago we had over $2,000 in fraudulent charges. They used both card numbers and the purchases were out of a target in NY I’m not sure if anyone else who is a victim here had fraudulent charge made in NY but we did.

    1. PaulJohnson

      there has been rumors of 40k machines being, “altered,” which in my mind sounds like focused infection to the pos systems

      1. E.M.H.

        I’ve seen those rumors too, but no substantiation of them. Seems to me, though, that if the number of compromised cards is in the 7 figure range, it would’ve been easier to get that amount through a more centralized compromise than tens of thousands of POS terminals.

        On the other hand, each individual terminal would have less security than any of the central processing stages.

        I don’t know. If this was indeed distributed amongst the POS terminals, that’s disturbing.

        1. PaulJohnson

          I like that you’re thinking about it. Target has about 1800 stores in the US, and I’m guessing each of those stores has about 24 machines for pos operations, that easily equals 40k.

        2. SR

          40,000 points of compromise is a LOT, obviously. That would be – almost – every single POS terminal in operation at Target US. The logistics of injecting malware into that many registers (or probably even harder, PIN devices) for a timed attack makes it seem unlikely. Stranger things have happened, I guess. Thanks for the info, guys. Looking forward to some more technical conjecture/details.

          1. Jay

            SR,
            Your right about the size of this compromise. We had to major local grocery stores in Arizona breached earlier this year with Malware that was specifically used to skim card data from POS using windows systems. It will be interesting to see if this was similar, and was a targeted (no pun intended) attack via a spear phishing attack within Targets corporate email. This is a huge breach, and logistically it would be assumed to be a major insider activity if it was all physically installed skimmers. It would have to have been an amazing organized criminal element (not to say it wasn’t in any case).

  15. SR

    BTW, Brian – I don’t say this enough but you are THE MAN! Thanks for bringing this to us.

  16. TheOreganoRouter.onion

    Sounds to me like more infected or hijacked card readers at the P.O.S.

    The headline for the article should have been “This time the target was Target , Bulls-eye”

    It looks like it’s going to be a good Christmas at the Krebs house. All these security articles right before the holiday

  17. Tracy

    Guessing it’s not been determined the point of entry – is it only at the POS or was it hack into the network through one store a la TJX? Because I’d be hard pressed to think a POS machine would process up to 1M unique cards. Ack. I panicked and had my card company issue me a new number. It’s been too long since it changed anyhow.

    Thank you the story! If only security wasn’t an issue to keep you so busy writing.

    1. E.M.H.

      If the rumors are true – and they MUST be taken with a huge grain of salt – then many thousands of individual terminals were compromised.

      Again, though, that’s the **RUMOR**. I personally think it’s more probable that it was a single, upstream compromise given the number of cards being talked about. Getting a million cards from endpoints is difficult. But nothing’s for certain until actual factual details are reported.

  18. Paul

    The answer to this type of issue is what is called one-time use cards. A credit card number, right on your physical card is randomly generated each time you make a payment. Right after the payment, that card number is invalid So if the database of a big retailer is stolen, your card # will be invalid. I saw a demo of this in NYC a few months ago. I think it was Paywith.com

  19. Retail Techie

    Since Target is also a major issuer of credit cards, wouldn’t they be the first to know about a breach? With the 5% discount, their Red Card MUST be the most used credit card in their stores. If their Red Card wasn’t affected, that will be interesting in and of itself.

  20. NOT Old School

    Speaking of security, how is it possible that when I visited this article and finished reading the comments, the name “Old School” and his/her email address (bike*****@sbcglobal.net) were already filled into the form? (I changed the actual word to stars – enough to prove my point without actually revealing the address.)

    This is my very first time visiting this website. I’m glad I didn’t fill in my own name and email address, because I wonder if someone else would have been able to see them.

    And L – as a fellow journalist, I will also disagree that it is not illegal for “inside sources” to share what they’ve shared with Mr. Krebs. They simply told him that (a) there was a breach, (b) how many accounts may have been affected, (c) there are indications the breach involved credit/debit cards used at Target during a certain timeframe.

    The “sources,” as far as we know, did not share victims’ names, locations or credit card numbers. They didn’t even mention any specifics about the breach — like how it happened, where the suspects might be located, etc.

    There are news articles out there all the time which are based on “sources” who are not named, who are providing “confidential” information to the media. In many cases, these are actually well-known and highly trusted sources, who for some reason can’t go “on the record” as a named source, but they tip-off the media because it would serve the public to get the information out there. And this is a perfect example. Krebs says Target hasn’t commented. Neither have either of the two biggest credit card companies. If these “sources” hadn’t spoken to Krebs or other media outlets, we might not know this is happening — I’m sure Target, Visa and MC would have preferred to resolve this entire mess quietly and get it swept under the rug without any media attention. But thanks to these “sources” speaking up, thousands (maybe millions — the story has been picked up by many other media outlets) of shoppers are now aware of what happened. People who might not normally watch their credit card statements very closely now have a “heads-up” to look things over, especially if they had shopped at Target recently. I usually wait until I get my monthly statement, but I’m going to review my charge history now, just to make sure there isn’t anything fradulent on there.

  21. f.tribaldos

    Let me go out on a limb here and make a prediction that as usual there will be a Miami/SFL angle to this story. Add this to the list other ‘infamous’ events TJX/Gonzalez, Hanging Chads, Rothstein Ponzi, Biogenesis PED, Oxycodone/Pill Mills.

  22. Dave

    Does Target not have Data Loss Prevention products to prevent things like this from happening?

    1. Retail Techie

      They have major defenses against this kind of breach. Sometimes that’s not enough.

  23. Target guest

    So for those if us who have used our target red card debit cards during the time frame, should we call target and cancel the card? Would the stolen data include our bank account info or just the card #?
    Ugh

    1. RBBrittain

      It’s not certain at this time, but for the hacker to obtain bank account data he/she would have had to breach a central database; at present that does NOT appear to be the case, though it’s not impossible. Current reports say magstripe data was compromised, but for REDcard debit that’s not much beyond the card number itself; it’s unknown for now whether or not they got PINs.

  24. CPE

    IMO…

    Never never never use a debit card… U R asking for problems. Ask your bank if fraudulent charges get reimbursed. Ask how long it takes to get reimbursed and can you live that long without your cash!!!

    I would cancel your card and get a new number, regardless of red card, visa, mc, Amex etc.

    Be smart, be ahead of the fraud and protect yourself NOW!!!

  25. Fldw

    Used my bank debit card at Target in Fl where I live, on Thankgiving, got a text alert this past Monday from my bank. My card was used Sunday 12/15 at a Home Depot in Tucson Az. Luckily it was less than $100.00, and my bank had already blocked my card from further use. Glad it wasn’t more but still sucks. No matter what thieves will always find a way.

  26. Tucker

    Is this specific to Target credit cards and their Red cards or is this for all credit and debit cards issued from Banks, Visa, Mastercard….?

    1. BrianKrebs Post author

      All major card brands are affected, from what I’ve heard, and all major card associations, including MC, Visa, Amex and Discover. I.e., if it was used in target between Black Friday and Dec. 15, there’s a good chance it was compromised.

      Note that having a card compromised by thieves is not the same thing as having fraudulent charges on that card. It is still very early days, and the fraudsters tend to take some time in offloading the stolen cards. There aren’t exactly a lot of people out there willing to buy millions of stolen cards at once. So it takes a while for fraud to show up.

      Meantime, the issuers may be weighing the costs of reissuing vs. waiting to see whether their impacted cards will indeed have fraud on them.

      1. Tucker

        Thank you Mr. Kerb. Don’t think I am going to wait to see if my info gets sold. 🙂

      2. voksalna

        Brian, every time I see this it reeks of a form of taking advantage of the customer via ‘risk analysis’. By not reissuing cards, or at least making an offer to consumers, they are doing the same thing as instance insurance companies do — paying costs up in the chain while letting the user do the actual suffering, and it all just equals a money figure to them — not the time and headache and occasional loss of everything to a person living paycheck to paycheck of having no money all of a sudden. People should be angrier at the banks if they don’t reissue, more than at Target at this point, provided Target discloses to the banks.

Comments are closed.