Nationwide retail giant Target is investigating a data breach potentially involving millions of customer credit and debit card records, multiple reliable sources tell KrebsOnSecurity. The sources said the breach appears to have begun on or around Black Friday 2013 — by far the busiest shopping day the year.
Update, Dec. 19: 8:20 a.m. ET: Target released a statement this morning confirming a breach, saying that 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013.
Original story;
According to sources at two different top 10 credit card issuers, the breach extends to nearly all Target locations nationwide, and involves the theft of data stored on the magnetic stripe of cards used at the stores.
Minneapolis, Minn. based Target Brands Inc. has not responded to multiple requests for comment. Representatives from MasterCard and Visa also could not be immediately reached for comment.
Both sources said the breach was initially thought to have extended from just after Thanksgiving 2013 to Dec. 6. But over the past few days, investigators have unearthed evidence that the breach extended at least an additional week — possibly as far as Dec. 15. According to sources, the breach affected an unknown number of Target customers who shopped at the company’s bricks-and-mortar stores during that timeframe.
“The breach window is definitely expanding,” said one anti-fraud analyst at a top ten U.S. bank card issuer who asked to remain anonymous. “We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized.”
There are no indications at this time that the breach affected customers who shopped at Target’s online stores. The type of data stolen — also known as “track data” — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs.
It’s not clear how many cards thieves may have stolen in the breach. But the sources I spoke with from two major card issuers said they have so far been notified by one of the credit card associations regarding more than one million of cards total from both issuers that were thought to have been compromised in the breach. A third source at a data breach investigation firm said it appears that “when all is said and done, this one will put its mark up there with some of the largest retail breaches to date.”
Some of the largest retailer breaches to date may help explain what happened in this case. In 2007, retailer TJX announced that its systems had been breached by hackers. The company later learned that thieves had used the store’s wireless networks to access systems at its Massachusetts headquarters that were used to store data related to payment card, check and return transactions at stores across the country, and that crooks had made off with data from more than 45 million customer credit and debit cards.
In 2009, credit card processor Heartland Payment Systems disclosed that thieves had broken into is internal card processing network, and installed malicious software that allowed them to steal track data on more than 130 million cards.
This is likely to be a fast-moving story. Stay tuned for updates as they become available.
Follow-up reporting on the Target breach:
Cards Stolen in Target Breach Flood Underground Markets
New Clues in the Target Breach
A First Look at the Target Intrusion, Malware
A Closer Look at the Target Malware, Part II
Fire Sale on Cards Stolen in Target Breach
Card Backlog Extends Pain from Target Breach
Target Hackers Broke in Via HVAC Company
Email Attack on Vendor Set Up Breach at Target
Who’s Selling Credit Cards Stolen from Target?
Most large retailers have fraud groups that in working through a possible fraud need the entire credit card number for their investigations. PCI does allow for the full display of the credit card number for those internal personnel that have a business need to know. Typically, others internally, including the POS device, should show a truncated card number (PAN – Payment Account Number) displaying only the first 6 or last 4 or both of the card number. That means that they are storing the card number but it should be encrypted using strong encryption such as AES-256. It’s going to be interesting to found out the skinny on this one. It will help us all on how to better secure and assess the security over the PAN and sensitive authentication data (SAD).
Can someone explain to me why CC data isn’t encrypted in transit?
It is in transit only. So before its being transmitted it can sniffed.
I’m confused about that, what regulation states that when the card information is in route to the merchant bank, from the card terminal, that it has to be encrypted? I haven’t been able to find anything about that.
Of course they just lifted the information when the card was being read, same thing that happened to Schnucks.
PCI DSS 4.1 – “Use strong cryptography … to safeguard sensitive cardholder data during transmission over open, public networks” There is no requirement to encrypt while in transit over an internal network. Huge gap in PCI, but the entire standard has huge flaws.
Mike, you are correct, but I would argue the lack of encryption during transmission on the internal network is hands-down the biggest flaw of all.
Are you sure about that? I thought there was an encryption-at-rest requirement as part of PCI-DSS.
PCI only states that card data must be encrypted at rest and after authorization, unless it is over the internet. So when you swipe your card it does not have to be encrypted until VISA, MC, etc authorize it. And that isn’t going to change because the card brands don’t want to pay for the necessary upgrades on the back end and they make the rules. Merchants can be diligent and encrypt back to their central processing system if they have one, but from there to the card companies is all in the clear unless it is over the internet.
It’s all politics and passing the buck from the card brands. If end to end encryption or tokenization were enabled it would at least take a small bite out of these breaches.
this breach smells like Dexter or similar, probably then leaked out via an allowed TCP port using SSL, etc. i bet ya the egress fw rules are too loose. that or there was some other compromised hosts internally that were able to get out to the internet due to loose fw rules.
barnacles.
My last comment was in error. Please ignore.
Someone just replied that this message was sent in error using my name. Apparently, there is no correlation between the name and email. Not a very good control. I won’t be commenting on this site anymore. Let’s hope all is found out soon regarding Target. Ciao.
It seems that everytime someone comments, their information is auto-populated into the “Name” and “Email” fields. What’s up with that?
That is your browser doing that.
It’s one thing to have your own info automatically stored. Now, though, it’s including information from the last person who posted here.
I’m a little teapot.
Does anybody know what kind/brand of PIN pad that Target US uses?
Equinox is my understanding
vast majority since last year are Verifone. About 50-60K devices of verifone and only 5-10K remaining of equinox/hypercom. based on description this is data at rest or line sniffing. PINpad breaches far less in qty but usually involve also stealing a PIN.
If target treats your information the way thet treats their workers;Good luck! All they care is about the daily store quota! All they care is about buying “Race Cars” with your hard earned money! any one who shops there desearves everytning they get.
You have to consider three different capture points.
1) Data at Rest = The place where this info is stored. (Must be encrypted to comply with PCI)
2) Data in Transit = The movement of this data from the capture device to the “Data at Rest” location.
3) The Capture Device itself.
If at any point where data moves from #3>#1 that data is exposed in “clear text” (Non-encrypted) it is “at risk”.
This is a somewhat simplified view. Data at rest encryption can be disk level and pass PCI muster, so someone with system level access could see plaintext data. The standard is laughably broken, and the group that owns it employs too few people to even begin to fix it.
My debit card got compromised twice in the last two years after using it at a target store. Each time I’d make a purchase in AL, someone would start using my card number and pin to make purchases at target stores in CA. The target store employees and toll free number weren’t interested when I tried to report it so now I won’t shop at target if I don’t have cash to pay for my purchase.
We had the same problem recently and we are in Alabama and our card was also used in California and now Florida on another card!
You should never use a debit card outside you local community, because at least that way the local law enforcement will investigate it just like they do any other theft or robbery. Once you go to far away, it becomes an FBI issue, or state police, or state attorney general problem, and they generally don’t look into it unless it exceeds $5000 in value.
Even then you only have 48 hours to report the loss and not be responsible for it. Probably a good idea to check it daily for suspicious activity.
Actually – not true for consumer accounts. You have up to 60 days past the date of your last statement drop to contest bad charges to your account. Not 48 hrs.
While I appreciate the news coverage this is receiving,
—–> PLEASE tell consumers what they are supposed to do.
Should everyone who shopped at Target block/close their accounts? Is doing nothing acceptable at this time? “Watch for unauthorized transactions” is stupid advice: Oh, look, my accounts have been wiped out. I guess I should notify someone now!
Very few of the 40+ million account affected belong to security experts. Advise them what they should do.
Alyssa,
I had a bank debit card I used at Target during the Nov 27-Dec 15 period so I called my bank and cancelled the debit card and had them issue me a new one. You might want to do that.
Two options regarding credit/debit cards.
1) Review accounts regularly for unauthorized charges, if they appear report them to have them fixed.
2) Call issuer and have them replaced, which means updating any auto-pay you have.
IMO, #2 is better.
if the card was in breach pool it should be cancelled, period.
Here’s what consumers can do.
Carefully read through these two announcements from Target if you shopped in their US stores between Thanksgiving and December 15.
http://pressroom.target.com/news/target-confirms-unauthorized-access-to-payment-card-data-in-u-s-stores
https://corporate.target.com/discover/article/Important-Notice-Unauthorized-access-to-payment-ca
There you will find advice to closely monitor your purchases though your card issuer and to keep an eye on your credit reports.
Don’t take this the wrong way, but you shouldn’t be asking an IT security expert for that sort of advice, you should be talking it over with the bank or organization that issued you the card. A security professional like Brian Krebs here is going to be more focused on the compromise – the “hack”, so to speak – than anything else.
Contact the support number for the credit card for that advice. Don’t rely on a third party who’s not in law enforcement, get the word directly from the card issuer on what you should do.
All the other comments in response to yours are valid, but I’ll add that debit cards are particularly vulnerable and if you suspect yours was used at a Target in the specified timeline then you should probably work with your bank to get a new card number.
Simply put: debit cards use your money while credit cards use someone else’s money. A stolen credit card shouldn’t drain your bank account, while a stolen debit card may have that potential. Using a debit card has very little benefit but very high risk for the consumer, although merchants love it because they get charged a lower processing fee.
Can someone explain why Target is recommending that we check our credit reports for fraudulent activity? What other information was stolen that would make this advisable? I don’t understand, as I thought it was just credit card/debit card info (name, card number, CVV and possibly PIN) that was stolen.
You watch the credit reports to see if someone opens up accounts using some or all of your data. You watch the credit reports and notify them of possible ID Theft. From what I understand, the data that is captured on the magnetic strip is what was stolen. People shopping at Target scans: store issued cards, bank cards, credit cards and driver’s licenses depending on the transaction. All that capture data can be used to access data broker accounts (ie. Accurint, Intelius, credit bureaus, etc). I’m sure once Target gets a handle on what happened and to what extent they will work with their customers to protect further harm. But, in the meantime, if you know you were affected, report ID theft to FTC, State Consumer Agency, and bank. Watch credit bureaus for unusual activity and maybe get new cards issued.
Would it be sufficient to put a fraud watch on your credit report? I mean, I can’t afford $40 a pop to look at my credit report every few weeks.
If you report ID theft to FTC as well as your state consumer agency and keep track of the report number, that *should* be sufficient to dispute any unauthorized transactions until we see how Target handles this. My bank even has a fraud notifier reporting option, check yours too.
I am assuming, based on prior ID breach incidents in other companies, Target will pay for their customers fraud alerts on their credit reports. That is normally how these companies handle this.
put credit freeze on your credit reports! all 3 agencies listed on the Target site breach incident page. the freeze is free to do. i urge everyone to do this regardless of breaches like this. a bigger threat is via the Obummer-Care (ACA) website that is linked to fed databases that have PII & SS# of every American !!!
You can’t open a credit account with just the data off the track of the card.
The main reason is the more information that someone has about you, it makes their job easier of obtaining other information about you. And if they’re able to obtain enough information, they can start opening accounts under your name.
Ellen, I work at a financial institution and one of the areas I manage is Credit/Debit Cards. The reason they are suggesting customers be on the watch for “Identity Theft” is because many times identity thieves build on many pieces of information that can be obtained from various sources. They now know your name and card information, and through various public and private sources can easily gain additional pieces of information. Eventually they may have gathered enough information to be in a position to open new accounts. Hence the need for you to review yuor credit bureau activity. And by the way, PIN numbers were not stolen. The only way for that to happen is for a thief to actually witness you entering your PIN at a terminal. It isn’t something stored on the magnetic stripe of the card.
Target is recommending you check your bank/credit reports because with your Name Account Number, and Pin criminals can get a lot of information.
1) People tend to use the same passwords and pins, meaning that simple research can yield more personal information and get more of your identity.
2) Check your bank accounts because with just the information already revealed criminals can run up large balances that you will be charged for.
I’ve had my credit information stolen at least twice. The biggest scare was when somebody racked up $6,000 in charges to my American Express Account. Sadly this happened on the same day I was moving. Thankfully American Express caught it. They called me just as I was about to call them. Others are not so lucky.
time i had card compromised i was notified by my bank, they said “your card was compromised so we are cancelling what you have, will send new one”, i called bank and said “great, where was the breach”, they said “we dont know, contact MC”, i call MC and they said “your bank has to tell you that”. absurd, i wanna know where my card was breached so that as a consumer i can choose to shop there or not. thus i am only left with a new card which i may again use at the same place where my card was compromised.
The bank isn’t told where the breach occurred. We typically learn from the media. The alerts that come from MC and Visa are very anonymous.
Brian,
Am not sure whether any one asked you or not, How you got to know that “Target had suffered a security breach ?”
Can any one explain how Brian concluded this ?
Sign up for Brian’s twitter. This is where he sent out the first heads up about it:
https://twitter.com/briankrebs/status/413449059576594432
Brian concluded this because reliable sources told him it happened. Brian has many such sources and he often breaks stories like this.
While it’s not necessarily profit margin impacting, there is cost to Target here (a guess would be 500k):
a) for the forensic investigation which can be pricey
b) their payment processor can fine them in relation to their PCI Compliance
c) payment processors can seek payment reimbursement from Target for processing replacement cards
d) they will likely have to offer credit monitoring to any impacted customer.
I don’t see how they get out of this one for $500k.
I suspect lawsuits, fines and legal fees will drive Target’s cost into the millions. In addition, the bad press and lost consumer confidence could easily cost millions more in lost revenue.
This won’t be cheap for Target.
The cost can be as high as $200 per compromised card and in the end all consumers pay. Too bad potential solutions don’t get the same level of publicity.
Re cost
“2013 Cost of Cyber Crime Study: United States,”
Ponemon Institute, October 2013.
See http://www.ponemon.org/library
under archives 2013 October
Re POS Skimmers
http://www.pcworld.com/article/2032336/researchers-find-new-pointofsale-malware-called-blackpos.html
Re ATM Skimmers see
http://arstechnica.com/security/2013/02/how-alleged-crooks-used-atm-skimmers-to-compromise-thousands-of-accounts/
A cell phone hacked POS terminals
http://bits.blogs.nytimes.com/2013/06/06/robbing-a-gas-station-the-hacker-way
Smarter cards can be of little help
http://news.bbc.co.uk/2/hi/science/nature/8511710.stm
In the end the consumers suffer, but the banks take the loss. Banks don’t have much leeway in getting the losses back from the merchants unless you have huge losses. The banks just eat the loss against the interchange revenue they receive.
Is there a private right of action against Target? Is Target looking at a massive class action suit?
Why are they keeping all of these card numbers in a central location? Shouldn’t it be processed and discarded immediately? With technology at this point just process the damn card at the POS and never centrally store even within a store.. and definitely not back to a HQ.
some places store card data for various reasons. but even under encrypted storage a trojan can possibly hijack the process that “gets” the data, thus using normal authorized process to decrypt. but in general, yes, use and destroy, but you should lookup up Dexter to see where the issues are even with use and destroy methodology. the card data has to come out of the card reader encrypted and be sent to processor to be totally safe, P2PE solutions are the only way.
In a perfect world you would be absolutely correct. But sadly batch processing of payment information is still allowed regardless of the volume of the transactions involved. Some processors give a discount to batch processing compared to real time transactions, so my guess is that the batch file is what was exposed here.
Target is realtime card auth, no? my guess is, since Target seems to indicate over a period of time, this smells more like POS infection vs batch file harvest. fed agencies monitor big retailers and tel-com traffic, so i also suspect Target themselves didnt discover the initial evidence, my guess is that the FBI notified Target of suspicious data flows, etc.
Target and other big retailers typically use Visa MDEX for authorization. Settlement is typically batch file. Track data is prohibited for settlement, so the breach likely occurred somewhere in the authorization architecture.
I used my amex at a Target store on Dec 5 in California for a small (under $40 purchase). Thought it was odd the clerk asked to see the back of the card for the security code from the back of the card. I commented that’s the first time I’d ever been asked for it. (I’d only ever used that code in on-line purchases. ) She thought it was weird too & said the computer was asking for that verification.
perhaps a random request to prove the card you had was legit, all the way to the CCV #, etc?? or maybe thats Amex policy and the POS app is programmed that way. was it at just this one Target store?
This anecdote is suspicious. Amex has its code on the front of the card, not the back.
Amex CVV is 4 digits on the front, Visa 3 digits on the back, as depicted at http://www.cvvnumber.com/
Can anyone explain how the Target Red Card (Debit version) is affected? It’s not a mastercard, visa, discover, amex but is tied to a checking account and needs pin to use.
ReCard is linked to say your debit acct #. if they have your RedCard info they simply use that. but i cant see Target not killing any RedCard that was in the breach pool, it would be stupid for Target to allow those RedCard’s to remain active.
The Debit RedCard can only be set up by providing a voided check at a Target store. So it is linked directly to your bank account, not to any bank-issued debit card that may also be linked directly to your bank account.
‘Target National Bank’, where this account data would be stored and used to send the charges onto your bank, was not hacked; only the payment system within Target stores was hacked.
Also, Target spokespeople are currently saying that so far, they don’t think anyone’s PINs were compromised; only the data stored in cards’ magnetic stripes, which doesn’t include PINs. Unlike Visa/Mastercard-affiliated bank-issued debit cards which have a signature-only option (and can be used with neither signature nor PIN online), Debit RedCards can’t be used without the PIN (and can only be used at Target stores and Target.com).
1) PCI DSS only requires encrypted transmission for cardholder data over public networks. unencrypted on internal networks is fine. still better to encrypt, but this comes with technical challenges and $$.
2) this smells like Dexter or variant to me. i cant find much info about Dexter hitting IBM SurePOS, but i suspect something like this.
3) the reporting requirements are lacking. your card could be in that breach pool, but you may not know until days or weeks or months later.
4) there are many people at Target or their vendors who know the flaws of the system and/or have access to customer data.
1) Whoa. Why is the previous poster’s private information showing up in my web form? That’s really messed up.
2) My understanding is that PCI forbids the storing of the entire magnetic strip. The way I read this article, thieves are believed to have stolen exactly that — all of the magnetic strip data. That tells me that they were snatching it in transit, not off a server somewhere.
lookup Dexter
@Dirt, RE: Whoa. Why is the previous poster’s private information showing up in my web form? That’s really messed up.
Brian knows about the problem. Use http://krebsonsecurity.com/about/ to report any problem with the website.
“They now know your name and card information, and through various public and private sources can easily gain additional pieces of information.”
It seems to me that all they would know is the debit card number (not my bank account number?) and my name. Or am I wrong? I guess I just don’t understand how they could piece together enough from that to do things like steal my entire identity.
Arbor was seeing elevated attacks on POS systems recently… hmmmmmmmmmmm.
http://www.pcworld.idg.com.au/article/533593/point-of-sale_malware_infections_rise_researchers_warn/
this article states “It’s not clear how many cards thieves may have stolen in the breach”.
not true i say. the Target notice on Target site says Target knows how it happened and thus has stopped it.
Brian’s story went up before Target made a statement.
PCI is a joke. The Payment Card Industry’s attempt to shed all blame to the retailer. There is no reason in this day and age that card data shouldn’t encrypted end-to-end and require some 2-factor of authentication. The card companies need to take responsability for their weak product security. Instead they strong arm the retailers by throwing them under the bus during a breach and threatening to take away their card processing capability which would be a death blow to most retailers.
and to add on to this, i have seen QSA’s improperly scope during an audit. PCI SSC needs some major overhaul, and, the funding for that overhaul has to come from the PCI SSC membership.
IMHO the FTC should be focusing on the card companies rather than merchants. The FTC will be all over target and probably impose a consent order on them in the end like they did TJX. That’s 20 years of hurt.. However, after so many breaches one would think the FTC would focus on the source of the problem, which is card security.. The security of the card itself and the ease of which to get the data to duplicate or use the card information fraudulently has to be addressed. History has shown that these breaches will continue until card security is addressed. Even after receiving a clean ROC companies are routinely breached so PCI DSS is not the answer.
Target is full of [fill in the blank] – the breach started long before Nov 27. I have had to cancel 2 cards (different issuing banks) in the last 2 weeks because of fraud. They were cloned and swiped – one used in Milwaukee, the other in Louisiana. I’ve never been to either of those states. I thought it was incredibly strange that this exact same thing would happen to me twice in 2 weeks on separate cards – what are the chances – so I checked my two statements against each other and the only place I used both cards was Target. But, the latest I used those cards at Target was November 9! I haven’t used either card in the US since November 11, as I’ve been out of the country! I’m furious that this happened to me and that it’s inconvenienced me so much (plus I’m out of pocket because I have to pay international Fedex charges to get one of the new cards). But I’m even more furious that Target is lying to the public by saying the breach started Nov 27. If you’ve used a card at Target any time in November, watch out! Might as well cancel it now!
Your two cards might have been compromised at two different retailers – commonality of Target purchases on both cards and a high-profile and widespread case in the press doesn’t mean that the Target breach extends earlier than indicated. However, even if the Target breach does extend back earlier, this scope may not yet be known by Target, so even if that is the case there is no evidence that they are lying. More details will undoubtedly emerge over the next few days.
I have been trying to contact Target’s debt card telephone number all day to cancel my card. I get a strange busy signal when I call. Is the phone off the hook? So, I went to my bank and put a stop payment on all transactions associated with this card. It cost me $31.00. I then proceeded to the nearest Target store in Homewood, Alabama. I was told the problem was corrected and I didn’t need to worry. I said I still wanted to close this account or cancel this card. The manager told me they could not do it from the store that I would have contact the number that is constantly busy. I am NOT a happy customer. I can open a debit account at the store but I cannot close it at the store? I am also going to seek payment from Target for the $31.00 stop payment charge from my bank. Anyone have any ideas of how to get this card cancelled or acct. closed?
Good luck with that Patricia. I have heard from numerous sources that Target’s phone, internet and other ways of reaching the company today have been completely overwhelmed today.
Now, consider how many banks are impacted by this breach, and you have an idea of the volume of calls *they’ve* received as a result of the breach as well.
Brian, you might find it interesting that the “manager” told me the media have blown this out of proportion. She continued to tell me the problem has been solved and how Target looks after their customers. She stated this has happened at Wal-Mart and other large retailers. I told her I didn’t care I wanted my acct. closed. There is something wrong when you can open a debit account at the store but cannot close it there. My reply was her great company would be hearing from my attorney.
I tried their website as well. I understand their system and phones are overloaded but if they are really wanting to “look after their customers” why don’t they put a link on the website to “click here” to cancel your “REDcard.” Oh well, lesson learned. Thanks so much for your reply. I appreciate you breaking this story!
Not to defend the media, but Targets very poorly written media response has caused a frantic and hysterical reaction by the consumers. Your all going to be victims of ID theft. All your personal information was stolen. Quick run and protect yourselves. What a bunch of nonsense.
Agai. The consumers have zero liability for any fraud if it occurs. It is a pain, that I agree to switch payment information, but no ones I’d was stolen.
I work on the industry and have spoken to several of my peers and None, zero, nada have reported any PIN based fraud. So that tells me no PINs we compromised as we would see ATMs across the globe lighting up with fraud, which we do not see. Which also means the RedCards are safe as they also require a PIN.
So Targets failure to work with issuers to get out a correct and measured response.
Is Target really just telling people “no worries, we fixed the issue”? Idiots, peoples card info was stolen, so fixing the ptoblem doesn’t undo the stolen card info. Target is retarded!
Who was Target’s QSA? Or did they use an ISA?
A passing ROC doesn’t protect 100% against sophisticated infections, a implant of Dexter variant may go undetected for a long time. Customers should be asking for a copy of their latest ROC.
Is there any way of knowing if this affected ALL Target stores across the U.S.? And how certain are they of the start date of all of this?
I’ve found this morning that logging into my bank account online was very slow, I wonder if their servers were overwhelmed with people checking their accounts and tightening up their security alerts. I last used my card at a Target store before the middle of November, but I’m still watching things very closely and I’ve tightened up the security alerts on my account as well.
This I guess makes a case in point for thinking about linking a “real” bank debit card to a retailer’s debit card, basically “vaporware” when the money is sitting in a bank somewhere else. You not only have to concern yourself with your bbank’s security, you have be concerned with the security of the keeper of the debit card info that your info will come from. Remember when Microsoft came out with “Passport”, which was planned to be the one single source password for all of the internet?