18
Dec 13

Sources: Target Investigating Data Breach

Nationwide retail giant Target is investigating a data breach potentially involving millions of customer credit and debit card records, multiple reliable sources tell KrebsOnSecurity. The sources said the breach appears to have begun on or around Black Friday 2013 — by far the busiest shopping day the year.

target

Update, Dec. 19: 8:20 a.m. ET: Target released a statement this morning confirming a breach, saying that 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013.

Original story;

According to sources at two different top 10 credit card issuers, the breach extends to nearly all Target locations nationwide, and involves the theft of data stored on the magnetic stripe of cards used at the stores.

Minneapolis, Minn. based Target Brands Inc. has not responded to multiple requests for comment. Representatives from MasterCard and Visa also could not be immediately reached for comment.

Both sources said the breach was initially thought to have extended from just after Thanksgiving 2013 to Dec. 6. But over the past few days, investigators have unearthed evidence that the breach extended at least an additional week — possibly as far as Dec. 15. According to sources, the breach affected an unknown number of Target customers who shopped at the company’s bricks-and-mortar stores during that timeframe.

“The breach window is definitely expanding,” said one anti-fraud analyst at a top ten U.S. bank card issuer who asked to remain anonymous. “We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized.”

There are no indications at this time that the breach affected customers who shopped at Target’s online stores. The type of data stolen — also known as “track data” — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs.


It’s not clear how many cards thieves may have stolen in the breach. But the sources I spoke with from two major card issuers said they have so far been notified by one of the credit card associations regarding more than one million of cards total from both issuers that were thought to have been compromised in the breach. A third source at a data breach investigation firm said it appears that “when all is said and done, this one will put its mark up there with some of the largest retail breaches to date.”

Some of the largest retailer breaches to date may help explain what happened in this case. In 2007, retailer TJX announced that its systems had been breached by hackers. The company later learned that thieves had used the store’s wireless networks to access systems at its Massachusetts headquarters that were used to store data related to payment card, check and return transactions at stores across the country, and that crooks had made off with data from more than 45 million customer credit and debit cards.

In 2009, credit card processor Heartland Payment Systems disclosed that thieves had broken into is internal card processing network, and installed malicious software that allowed them to steal track data on more than 130 million cards.

This is likely to be a fast-moving story. Stay tuned for updates as they become available.

[EPSB]

Have you seen:

Cards Stolen in Target Breach Flood Underground Markets”…Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card, KrebsOnSecurity has learned.

[/EPSB]

Tags: ,

620 comments

  1. I’ve used my target red card. That is attached to my checkingaccount. Would their red cards have been affected? What do i do? Close the checking account?

    • Target needs to address these issues ASAP before more damage is done. That’s my store though – they actually sell wild-caught fish.

    • Yes, close your checking account.

      • For now that’s an overreaction as this article says NOTHING about the actual bank routing & account numbers, which are stored in a central Target database (NOT on the magstripe like the card number). Actually, the risk may be slightly *less* with REDcard debit than other cards because (a) they *always* require a PIN (even REDcard credit doesn’t), and (b) even with a dupe card & PIN it can *only* be used at Target stores & websites (yes, even the websites require a PIN). For the hacker to withdraw from your bank account any other way, he/she would have to breach the central database and get your routing & account numbers.

    • It is likely we will learn more as the details of the breach become clearer. These investigations take time. In the meantime here are four steps you could take:
      1. Print a copy of the current statements for EVERY credit card you may have used at Target during this time period. Keep an eye on your statements going forward and report anything that is odd.
      2. If you want more info the PrivacyRights Clearinghouse is a trustworthy source of steps you can take now. https://www.privacyrights.org/how-to-deal-with-security-breach
      3. The FTC is the best place for information on what to do and who to contact if sometime down the line you believe your account has been compromised. http://www.consumer.ftc.gov/articles/0271-signs-identity-theft
      4. Set up alerts for your card (there is an “alert” option in the RedCard menu bar on the left).
      And of course keep an eye out for the letter Target will send with details!

      • The smartest post here right now. Don’t panic, folks; more than likely even Target doesn’t know the full extent of the breach at this time (that’s why the Secret Service is investigating). They aren’t speaking because they don’t wanna say something that later turns out to be false; besides, the story went viral after the PR folks went home for the evening.

    • Closing the redcard account or having the card reissued should be more than sufficient. The checking account can only be affected while it’s still linked, since it’s not encoded anywhere on the card itself.

    • don’t close the checking account. Monitor your accounts and request a new red card through Target. If you see any odd charges just let your bank know.

    • Kim – the red card BINs are for sale right now…looking at them. Like others have mentioned, getting issued a new red card will sever the link your compromised number has to your bank.

  2. What if I used a target red card which is linked to my bank ?

    • ANY card swiped through their readers is at risk. The stripes use standard structures for storing data on the card.

      • Yeah, but the question is what CAN the hacker do with the data. For Visa/MC/Amex/Discover, a hacked magstripe can be put on a duplicate card and used anywhere; but even with a duped magstripe, REDcard credit & debit can only be used at Target (and REDcard debit also requires a PIN in *all* cases). And as I posted earlier, the actual bank account data for REDcard debit is in a central database; what’s come out so far does NOT suggest that was hacked (though it’s too early to rule that out).

        • Apparently from reading other stories on this, such as on Ars Technica and The Wall Street Journal, the thieves also intercepted and recorded PIN information along with copying the information from the mag stripes. In this case, I would suggest the immediate cancellation and reissue of any and all cards used at Target between September and December of 2013 (I can guarantee you from past similar incidences that they only caught on to it now, but that malware was running for at least 1 month on those machines before the assumed dates).

          This type of malware from what I’ve been reading, wouldn’t have been stopped by the EU/Oceanic Chip & Pin solution either, as it was intercepting all traffic at the hardware level in the pre-encryption state. There are a few card services here that offer Chip & Pin, and these cards seem to have also been affected in this breach.

  3. I had a fraudulent transaction posted at a Flushing, NY Target on 13 Dec 14. Three transactions were attempted but only one went through. My bank USAA caught on to the fact that I live in NC and was unlikely to be making POS purchases in NY.

  4. This is most likely unrelated, but I went to a Target off Lincoln in Anaheim, Ca. on the 11th and spent $150 in the cell phone department. It’s an inviting store. But I’d never had such a difficult time swiping my debit card. After 3 tries it went through. I had to swipe it weirdly near the edge of the reader (rather than inserting it flush inside the gadget). And it did worry me later. I changed my pin.

  5. I shopped Target on black friday. In December 5th someone duplicated my debit card and used it at an AutoZone for $299.99. I went through 2 weeks of my account being frozen and waiting on new card. I’m now afraid to shop anywhere. After reading this, I would like to know how Target is handling this & what future measures they are taking. I will not shop Target at this time.

    • They physically had my card while I still had mine. Worker at AutoZone said this person came in and used my physical card and signed for it. I asked AutoZone if they check id. There response was , “its not their policy” . If it was maybe they could of caught this thief!

      • Requiring ID to use a card is typically against the credit card networks’ merchant agreements. They want it to be convenient for you to use your card. Since cardholders aren’t liable for fraud, you shouldn’t have to worry about anything. Just report the fraud to your card issuer, get a new card, and forget about it.

        It actually irritates me when a store breeches its merchant agreement and requires ID. If the card issuers want to take the risk of fraud to make using my card easy and convenient, I’m all for it.

        • That’s why all of my cards have “Please ask for photo ID” on the back of all of them. Some clerks never look. Most do. It wouldn’t help on a card re-coded with the data from my stripe.

        • Don’t believe all you read. The cards will make Target pay for all investigation costs, card reissuance, fraud on the card and fines and penalties to boot. Visa and MasterCard will not lose any money. Only Target or the Bank that issued your card will have to pay for this. You ease and convenience is crippling merchants in the US. Cards should be more secure. Period. Chip technology is required in the EU but not in the US. Signature debit is crazy. PINs for both credit cards and debit cards would help.

      • So, they were able to use your card locally?

  6. I bought an Ipad Air at a local Target in Northern, NJ on Thanksgiving eve, and the next day my debit card was hacked, someone tried to order 100K from the Apple store, I didn’t have more than a 1,000 in my account, but it took a week to get it back, and I had to close my account, very stressful!

  7. I used my target card to make a purchase online for the Black Friday sale. After 1 day I received an email that had my correct address but the wrong city and zip code. Not sure how it was possible because I typed it myself twice. I live in Southern California and the product went to Northern California. I called target.com and was told to speak to UPS. uPS told me I needed to speak to target. This process went back and forth. Finally I blew up on the next person I spoke to. At this point, I’d already been billed and had paid the bill in its entirety. My call was escalated to a supervisor who seemed to care less. I was told that the product was being returned to them and that they would issue me a credit. According to the UPS website the product was being returned to the sender, however they supposedly have not received it. I was also informed that I would have to repurchase the merchandise in the store. I went to target and the item has been discontinued. Normally I wouldn’t go through the trouble, but this was my daughters Christmas gift. I did tell the manager I simply wanted them to send me what I ordered, he said unfortunately he could not. My order was placed on November 27, 2013. It is now December 18 and I still have not received a credit.
    Also, when you type my address in google, it automatically defaults to my current city. Someone had to manually change that information. I would love to know what the investigation unfolds. As of right now, the whole situation is crazy.

  8. By the way, the item was a digital camera.

  9. Would changing the pin on your debit card instead of canceling work?

    • Most debit cards can be used as credit.

    • Change the pin BUT chances are any cards that may have been affected will be reissued by the credit card company (Visa, MC, AE or Discover).

    • Changing the PIN *may* work on REDcard debit, as that card requires a PIN for *all* uses (even online); I’ve already done that as an initial precaution. (It may not, depending on what data the hacker actually has.) It will *NOT* work for other kinds of debit, as Jason described; even debit cards *without* a Visa/MC logo can be used in some cases as “PIN-less PIN debit”.

    • No, changing it will not work, as debit cards can still be run in some places as a credit transaction without the use of a PIN. For instance, online ordering.

  10. I used my card Thanksgiving night in Ithaca, NY Target and noticed purchases on the 17th at two grocery stores in the Commack area of NY. Called bank and they are reimbursing me the fraud charges. You need to get a new credit or debit card.

  11. I shopped at Target December 2nd and had weird withdraws and charges at 3am on my card the next day. I reported it a few days later and was told by the bank some one would have had to physically take my debit card. So, I assumed some family house guests staying with me at the time stole the money. It was small $40 withdraw and maybe $15 at a local convenience store. Would the people responsible for this Target fraud do that?? Would they only take small amounts?

    • They may be trying to see if the cards works and what is in the bank account.

      • Hm, interesting and makes sense. I didn’t catch the fraudulent charges until a few days later. So, they would have had time to take more. Very odd…

      • No, they actually don’t often do that. What happened is they already have started duping and distributing the cards right from the get-go. This is a somewhat typical large carding operation and I would not be shocked to find some sort of organized crime group behind it (not the Italian kind). More than likely we are dealing with crackers from Eastern Europe (the Ukraine, Estonia, or Lithuania more than likely) doing the computer work while the local guys are more than likely immigrants of some sort from either Europe, Africa or Central/South America.

        This happens way more often than it should, involving people from the same parts of the world, more often than it should (and it isn’t limited to the US, this happens in Europe, Canada, Australia and elsewhere).

  12. When are the payment card issuers going to wake up and come up with a better mechanism than unencrypted numeric account numbers. It is a hard problem and they continue to sweep it under the rug by making merchants comply with PCI rather than fixing the underlying issue.

    • Chip & PIN would help, but Visa is pushing for Chip & Signature which is essentially no different than what we have today.

      Enough is enough with this stuff. Chip & PIN is not 100% secure, but way better than the system we have today.

  13. Hi Brian,
    We shopped at Target on 12/8 and used our bank card as a credit card (Visa). Ugh!!!!! We’ve been through identity theft a couple of times. Both times were with major credit cards. The first time was over 7 years ago – had to have signed affadavits, etc. the whole works to make our claims. It all straightened out, but was a hassle. The second time was within the past 3 years and it was a breeze.

    We never use our bank card online – either as debit or credit. However, after seeing this report, I don’t want to use our bank card for any purchase. I think we will just use cash or our credit cards and pay those bills in full each via check. The old-fashioned way. Yes, there is risk with everything, but I think it would be much less risk this way. We already only withdraw cash from the bank’s ATM machine – in their building.

    As for our current situation, we’ll be calling the bank first thing tomorrow morning and definitely requesting new bank cards. My question is this: Should we also request new checking and saving account numbers? Yep, it will be a hassle, but would that be the safest thing to do at this point?

    • For Visa/MC debit, definitely ask for a new card; but unless your bank account number was on the magstripe (unusual but not 100% unthinkable) you should *NOT* have to change that. Most debit cards are tied to bank accounts only by the bank itself or its card processor; cancelling the card itself should be sufficient in most cases. (Don’t just change the PIN; even PIN-debit cards without a Visa/MC logo can sometimes be used without a PIN.)

      REDcard debit is a different issue; that will depend heavily on exactly HOW the breach occurred. If the hacker has ONLY magstripe data, for REDcard debit that’s useless without a PIN (required for those cards even online); even a duped card & PIN can only be used at Target. However, IF the hacker got into the central database, bank account numbers COULD be compromised (reports so far suggest that did NOT happen, but it’s too early to rule it out). It wouldn’t hurt too much to replace your REDcard, but IF the worst happened you MAY need to change your bank account also. Stay tuned…

  14. I shopped at the Diamond Bar, CA Target last Tuesday, and Wednesday morning Citibank was calling me to see if I was filling up gas in the Dominican Republic! Someone had recreated my card and was physically swiping it. Disappointing to discover that it was swiped from Target!

    • The Diamond Bar, CA Target, where I usually shop at, has the new POS terminals, the Verifone MX 925 payment terminal. I shopped there late in the time window, and just checked my accounts. Everything’s okay, but I still got new card numbers. As previously posted, the numbers are out there for sale already on fraud websites like “rescator.la”.

  15. This is not limited to cards that were swiped. My wife’s Target card hasn’t been used in 6 months, yet, when we come back from a small vacation from over the weekend, we find 2 mysterious charges on her Target card for $81.

    I would suggest everyone check their statements/redcard page immediately.

  16. I can’t believe Target has refused to respond so far, they should have immediately issued a statement as soon as they knew of the breach to help their customers protect themselves. Apparently this doesn’t matter to Target. I sympathize with the above accounts of poor customer service. The corporation should be held liable. All we can do in the mean time is to boycott Target, and perhaps write a nasty email stating our intentions.

    • That’s premature. First of all, more than likely even Target doesn’t know the full extent of the breach yet, and won’t till the Secret Service finishes its investigation; that’s why they haven’t responded. (It also didn’t go viral till after their PR staff went home for the evening.) Second, it’s almost certain Target *WILL* have to eat any & all losses, though that may take some time; the banks will make sure of that.

  17. Why retail store is allowed to store magnetic stripe data? For this one fact TARGET management is # for data mismanagement. It turns out biggest USA stores has nothing to do with data retention policy or PCI.

    • Reports so far indicate the swipe machines themselves were hacked. If that’s the case, it makes NO difference whether or not Target normally keeps the magstripe data; the hacker captured it before Target deleted it.

  18. I never shop at target.and for some reason, I decided to shop there today. Does this mean I should cancel my atm card?

    • Not yet; by all reports so far the breach didn’t last past the 15th. Be on the lookout, however.

  19. Would this have anything to do with my capital one card getting used at a target ? Capital one about a week after black friday shut my card down for unusual activity, in both Clermont and another sub burb of orlando my card was used..But the card was in my wallet, i wanted to know how this happened, i stopped swiping it at the pump, and going inside. I paid with cash since then at restaurants. Could this be apart of this? They did 4 transactions in the 200’s range, all about 214 probably gift cards cap 1 told me…..

    • I had not used it at target probably for about 3-4 weeks prior to that, which was actually in orlando area.

  20. Just went back through my credit card statement, the last time i used my card at target was 9/21/2013 and the fraudulent target charges were not till 11/16 so maybe i got skimmed somwhere else, just seems weird that i was skimmed somewhere along the way and they happened to go to target to spend $210-217$ 4x in 1 night for assuming gift cards.

    So disregard my previous post. This is most accurate data i have. Unfortunately i use the cap 1 1.5% cashback card everywhere, so it could of been anywhere i suppose.

  21. I used my visa card on black Friday early morning, and someone just made a JetBlue transaction. Called credit card company and closed mine.

  22. I’m still baffled by the fact that you still use the mag-stripe in the US. And why does the track2 data even go in the clear from the terminal into the POS?

  23. I applied for a Target REDCARD using their swipe machine at the store located in The Villages, FL. I received the card within the last week and used it on Friday, Dec 13. I am concerned that all the info input on the swipe machine to apply for this card could be vulnerable to this breach. Is this possible ICW the credit/ debit breach which is the subject of this article?

  24. @Bufford

    It is not a good idea to write “Ask for ID” on your card. A credit card is a contract between you and the issuer. It is not a valid contract if the card is not signed. And besides, it is security through obscurity, and as any reader of this blog or security practitioner should know is no security at all.

    Cards without a valid signature can be turned down. Read a Merchant Agreement.

    There is a difference between “Ask for ID” and a virtually illegible signature.

  25. I would not be so concerned about red card purchases fit the same reasons others have mentioned. However, if you signed up fora Red card during this time I would be extra concerned. These possibly compromised terminals were used during the sign up process.

    In this case your bank routing number was scanned through the register, so it is not clear if this was also affected. However, this will possibly give the hackers your drivers license number and social security number, which if I recall were used during the registration process.

    Target also recently replaced all of their pin pad devices with new devices that had color screens. I had assumed this to be a good thing possibly an effort to comply with new PCI guidance on these devices. To be such a wide spread event affecting all sites, I wonder if there was a compromise of the new devices in manufacturing that was only recently activated?

    Target has been pushing the Red Card debt aggressively in its stores over the past several months. They offer a 5 percent discount on every purchase with the card. This hH’s me questioning why. Figure they save 2 percent on card processing fees and have a 3 percent profit margin, how do they justify the discount? My only thought was possibly less liability to the card brands for a breach of PCI compliance.

  26. Any debit card fraud is handled completely different then credit cards. Laws require different responses from the banks and credit card issues. Banks can wait up to 10 days to replace your funds, and that is if they can confirm the fraud. Like Brian says all the time, never use your PIN. Wondering if the breach was malware delivered during a social engineering event, such as an email spear phishing attack. My money is on the human factor

  27. What legal liability does Target own when data like this is stolen and used?

    • Doug,
      Target under the Fed law has to notify their customers who were involved in the breach, that the breach occurred. However, their liability ends there. It would be very difficult to prove that a card used fraudulently due to the breach at Target, and that’s where things get fuzzy. The card issuers and banks could take some type of civil action in the courts against Target, and potentially some consumer class action against Target could be taken. Since the laws state that the banks have to deal with the fraud on their side, and issue credits and the like, most of the actions would be between issuers and Target.
      Understand that Target is a very customer focused company, and that they will probably go the extra mile to help with this situation as much as possible. It will be interesting to see where this all goes. Was it truly card skimming? or was it Malware loaded to the Point Of Sale terminals collecting the data instead of physical card skimmers in the Point of Sale devices them selves. I guess time will tell, and I’m sure Brian will break that info to the press once it is known.

      • So I wonder how they are going to notify 40 million customers in a timely fashion. I do not think posting a statement online is sufficient. There are many customers that don’t have internet access or are going out of their way to look for a posted statement.

  28. http://money.cnn.com/2013/12/18/news/companies/target-credit-card/

    Excerpt:

    The breach first came to light via a report from respected security researcher Brian Krebs that said Target had suffered a data breach around the time of Black Friday last month “potentially involving millions of customer credit and debit card records.”

    (snip)

    Bump!

  29. This is getting ridiculous… We should start asking the hackers how successful Black Friday shopping is year over year. Again, great job Brian.