10
Jan 14

Target: Names, Emails, Phone Numbers on Up To 70 Million Customers Stolen

Nationwide retail giant Target today disclosed that a data breach discovered last month exposed the names, mailing addresses, phone number and email addresses for up to 70 million individuals.

The disclosure comes roughly three weeks after the company acknowledged that hackers had broken in late last year and stolen approximately 40 million customer debit and credit card records.

“As part of Target’s ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach,” the company said in a statement released Friday morning.  “This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.”

Target said much of the data is partial in nature, but that in cases where Target has an email address, it will attempt to contact affected guests with informational tips to guard against consumer scams. The retail giant was quick to note that its email communications would not ask customers to provide any personal information as part of that communication.

Target Chairman Gregg Steinhafel apologized for any inconvenience that the breach may have caused customers, and said he wanted customers to know that “understanding and sharing the facts related to this incident is important to me and the entire Target team.”

Nevertheless, the company still has not disclosed any details about how the attackers broke in. This lack of communication appears to have spooked many folks responsible for defending other retailers from such attacks, according to numerous interviews conducted by this reporter over the past few weeks.

This latest disclosure also raises questions about what other types of information may have been jeopardized in this data breach. As part of its statement, Target said it would be offering a year’s worth of free credit monitoring services to those affected. Target does collect Social Security numbers from customers who apply for Target Red Cards, which offer applicants 5 percent cash back if they agree to tie their debit accounts to the Red Card. So far, however, Target has not said anything about compromised Social Security numbers.

Reading between the lines, one might wonder why Target is providing credit monitoring services to those hit by what is essentially a credit card breach. Many people conflate credit card fraud with identity theft, but these are two very different problems. The former is quite easy for the consumer to resolve, and he or she has very little (if any) liability for fraud. Identity theft, on the other hand, generally involves the creation of new or synthetic lines of credit in the consumer’s name, which can take many years and cost thousands of dollars to resolve.

The reason Target is offering ID theft protection as a result of this breach probably has more to do with the fact that this step has become part of the playbook for companies which suffer a data breach. Since most consumers confuse credit card fraud with ID theft, many will interpret that to mean that the breached entity is somehow addressing the problem, whereas experts tell me that this offer mainly serves as a kind of “first response” to help the breached entity weather initial public outrage over an intrusion.

Update, 1:07 p.m. ET: Added additional perspective on this announcement.

Tags: , , , ,

190 comments

  1. It may have been commented on by others, but the zip code information connected with the first announced breach, was the zip code of the Target store where the transaction took place – not necessisarily the zip code of the cardholder. Although since the vast majority of customers shop at stores near their home, it is highly likely the zip code of the store and the cardholder are close to one another if not the same.

  2. Thanks for the information. I am one of the 70 million who used a credit card at Target during that time period and I am not happy. Is there anything else I can do other than watching my credit card transactions? Thanks.

    • Cancel your card
      Ask your bank about what they are doing to protect you about this breach
      Be careful with the personally identifiable info you share online
      Change your email password so that is is long and strong
      Do not use the same password you use for your email account on any other sites

      Dont ever set foot into Target again?
      File a lawsuit against Target and join 39.999.999 other Target customers?

      Buy using cash…and make sure you use an ATM which sits inside an actual bank

      Dont trust anyone and look both sides when you cross the road

      Oh…..by the way…when you receive an email from Target or your Bank explaining what happened and how sorry they truly are…dont click on the link or open the attachment. You will get hit again, and again, and again.

      That is your mission, should you wish to accept it.

      Good luck

      • My card is one that has been used fraudently. I checked my account closely right after hearing of the security breach. There were no indications that my info or card were being used inappropriately, so I thought I was in the clear. Not the case. I was notified this past week that my debit card was flagged due to high dollar international purchases. Needless to say, my card got hit hard. Turns out there were also many small purchases, especially for Apple iTunes, which are easy to go unnoticed. However when added up, they can equal 1000s of dollars. The fraudulent purchases started December 30, intermittently at first and then really picked up January 7. Continue to watch your accounts and look closely for small charges that aren’t yours. Crooks know you’ll readily notice high dollar charges, but not necessarily charges for amounts under $10.

        • Thanks for pointing this out – personally i use a VISA debit card which happens to have a credit card number on it. However i cannot buy anything which exceeds the money i currently i have in my account.

          The stolen data at Target is actually pure credit cards, these will allow indiscriminate spending (the Banks say thank you).

          And you only get the bill much afterwards.

          Personally I believe you should not be usimg a credit card – its an outdated technology. Look at today’s post on Krebs….another retail chain was hit, and i have no doubt its happening many other places

          I guess this makes credit cards a double teouble situation: if its not the Bank cornering you, its hackers. And you end up having to pay afterwards regardless.

          • I thought the stolen data was debit and credit card numbers. With a debit card you’re OK if you have little in your account and don’t allow overdrafts, otherwise not OK.

      • …..and this comment will self destruct in 10 seconds Mr Phelps. 10,9,8,7…..

      • Specially look both sides when you cross the road. You can’t stress enough on that point.

  3. Anyone bothered to investigate TSYS, the credit card processing company out of Atlanta Georgia, that has ties with the bank in Cyprus that was money laundering credit cards back in 2009 ?

    It is kinda strange that they started out as a no body in the credit card transaction world and became the 4th largest processor in the USA within 2 years.

    They were not investigated in the FTC case a f ew years ago, but were never the less DEEPLY involved. Are they involved in this case… time will tell….

  4. CloudFlare, Inc. in San Francisco is still providing DNS and other support for four sites run by Rescator, who was outed by Brian last month but continues to aggressively market the credit card data stolen from Target. I filed an abuse report and CloudFlare ignored it. Their SSL Certificate Authority partner, GlobalSign, did respond by pulling the CloudFlare certificates on those four sites. I believe that CloudFlare may be incurring some class-action liability because of their failure to act on this. The famous safe-harbor immunity statute for service providers in the U.S., Section 230 of the Communications Decency Act, does not apply to criminal conduct. Is aiding and abetting Rescator criminal conduct on CloudFlare’s part?

    http://www.cloudflare-watch.org/target.html

    • FBI (and Secret Service) have been known to continue to allow services like Cloudflare or hosting companies to continue to provide services if it helps them continue an investigation and monitor the services. And it might. If hosting is outside of the US and everything else is outside of the US, it might be providing them with a link to monitoring activity they would not otherwise have. I am not suggesting this is definitely the case, nor that CloudFlare is definitely cooperating (how would I know), but this wouldn’t be the first time things like this were not cut off because to cut it off would make it harder for investigative agencies. Just something to keep on the mind.

      • Of course I’m “keeping this in mind.” The honeypot theory is mentioned on our home page:

        http://www.cloudflare-watch.org/#honeypot

        But I also believe that the feds cannot force CloudFlare to cooperate in criminal activity if CloudFlare would prefer to disconnect from the sites marketing the stolen Target data. That leaves two choices: CloudFlare is all honeypot, and most likely has always been a honeypot, or CloudFlare deserves to be prosecuted for aiding and abetting. There really isn’t anything in between.

        • Didn’t mean to insult. There’s a line between honeypot and assisting in continuing investigations, though. Lavabit for instance was requested to continue on business as normal after passing along the keys to witness the activity. That said, there’s a whole lot of companies which while not specifically working for the government do indeed benefit from providing services to it ‘off the books’. I don’t really agree that those are the only two potential cases. I do however believe that CloudFlair is less interested in protecting criminals and more interested in continuing its business model. To this end, there is probably a lot to be said for the ‘carrot’ that can come wiht their cooperating in these sorts of cases, especially considering the ‘stick’ that can come with not cooperating with them. To be clear I agree with some of the things you say on your site. I don’t necessarily agree that pressuring them to discontinue providing caching services is the best resolution. I’m sure both of us are a bit right and a bit wrong, and that neither of us know the true goings-on, though.

  5. Target extensively revises estimated # of customers exposed by the hack of its data during the holiday season, disclosing that 70 million up to 110 million people had their personal information stolen

  6. I’m confused by the numbers reported. How can 40 million credit and debit card transactions affect 70 million individuals? Some of those transactions were probably made by the same individuals, using the same card.

    I would think that 40 million transactions would map to a smaller number of individuals. 70 million individuals is one in five Americans. Is that possible?

    I’m not questioning Brian Krebs’ reporting. I’m skeptical of the data that Target has made public.

    • From a Chicago Tribune article:

      Target customers whose information — name, addresses, phone numbers and email addresses — was stolen need not have shopped at the retailer’s stores during the busy holiday shopping season, a spokeswoman confirmed Friday. The information, said Target spokeswoman Molly Snyder, was collected during the “course of normal business,” and could include online shopping.

      Today’s announcement on the Target web site doesn’t state that online shoppers were affected, nor does it state that this newly-identified theft occurred outside of the intial breach period. Very scary if this Chicago Tribune article is correct … for how long was the personal data of customers available to thieves?

      • Its simple really – hackers broke into not only the credit records. But also into other systems. I would not be surprised if the breach actually covers pretty much every customer who used a credit card at Target in 2013. i come from a country with 10 million inhabitants. The hought of 40 million credit cards stolen is a monstruosity – is Target going to survive? Who will end up paying for all the money stolen? Your Bank? Seems unlikely – Target will not survive this.

        • I don’t see Target as being unique or negligent. I doubt the entire IT security team at Target are dummies. I suspect it was partially an inside job, and if it was then it could happen anywhere. I still shop at Target, and I use the same credit card I used during the breach period. The customer traffic at my local target appears quite normal.

          • I’m a ‘wait as see’ kind of guy; but then Target should have contacted customers LONG before Brian broke this article if they want us to trust them any farther than I can spit!

            Don’t be so complacent! We need to push retailers to give a shit about security, and start paying IT people more to monitor or even invent better ways to implement it. If they don’t want to do that, and are too cheap ass to do that, then they deserve to suffer the loss! That is just how it is in business. If you don’t pay the piper, then you suffer the loss down stream in the business enterprise!

            Once a competitor shows a spirit of caring about its customer’s rights, THEN maybe we’ll talk about what good business sense they have, and how I’m a big fan of their operation. Until till then I reserve judgement!

            To tell you the truth – I’ve hated the way Walmart has slipped over the years since Sam Walten died, and I’ve been a big fan of Target every since. Especially since they have consistently been more economical on their prices despite the lying ass commercials Wally World has continuously spewed for years! All I have to do is go on line and see that they don’t actually try to compete in the market – they just hammer us with BS commercials to lull us into actually thinking they ‘care’ about our sense of fairness! *puke*

            Well TARGET is fast going down this same alley in my opinion, and better own up to what the hey is going on – or I will quickly become an only online shopper, for goods that are already cheaper than any damn brick and mortar store, and shipping is FREE!

            Why should I expect any more security from them than an online marketer? Huh!? You know what?! I’d almost believe Wally World was behind this whole mountain of shit to begin with!! The total defacement of their best competitor!? Sounds just like dog-eat-dog Americana story to me! “Hey Donny! I got an offer yous no canna refuss! Get online and make trubba for Target! We gonna put them down for sure!” I can see it now, just like da ‘Good-fellas’!”

    • Good question Dan. I would submit that this might be a separate file obtained during the breach. Again, I am just making some logical guesses based on historical attacker behavior. So, they obtained credit and debit card related information, but then maybe, they also grabbed a separate file with addresses, email addresses and phone numbers. Again, they communication that the retailer released was a bit confusing, but that might be intentional based on recommendations made by the Feds who are assisting with this investigation.

  7. Cloudflare Inc, was also involved with hosting the Lulzsec web bullet proof web site last year.

    They were actively harvesting IP addresses, log in’s, domain information, of people that downloaded the data that was stolen by the Lulzsec group. Much of which was planted data, and not real.

    So it is likely they have ties to federal agencies rather deep.
    Based on inside info, it looks like the FBI, but could easily be the NSA also.

    Not sure what they did with the data, but based on what I saw, there were many companies and individuals that found the data entertaining.

    How deep are these agencies involved in this investigation ? Hmmm they, are as usual, not talking.

  8. Why does Target insist on referring to us as guests? We are customers, not guests. Guests do not come to your place to purchase items. Guests come to visit, have snacks and drinks which the host provides, and go home.

    • I think they got the “guest” terminology from Disney. What if someone goes to Target and doesn’t make a purchase? Are they still a customer? Are they a guest? Are they a guestomer?

      • If Disney regards us as guests, why are we charged admission? If you are someone’s guest you do not pay.

      • This was part of the corporate culture at Daytons. Dayton’s department store was the original founders of Target back when. All customers were to be treated by employees as if their were guests in their own home, which was suppose to build an attitude from employee to customer as one based on friendship instead of “I am just here to help you buy stuff”.

        TL:DR its an operations strategy to make employees seem nicer.

        If Dayton’s in turn got this idea from Disney I have no idea but it could be possible.

  9. Target CEO also said, “…At the same time, we remain keenly focused on driving profitable top-line growth and investing our resources to deliver superior financial results over time…”

    Because PROFIT comes before security and your safety. Much waste of time, aggravation and costs to the consumer but hey, profitability is numero uno!

    Hmm, my 2014 prediction for Target is, new CEO, CIO, store closures, consolidation and either name change or sold off to some other sucker, um, merchant.
    Target (tarshay as we say) is now a big, red, bullseye to avoid.
    (I forwarded your links to friends that shopped there during the breach. More disgust and shopping elsewhere they exclaimed, but with eyes on their statements. Several had $250 charges on statements and are waiting for last months paper statements to come in the mail for credit cards)

  10. And the saga continues…wonder what the new headline will be next month. This problem is clearly NOT going away. I’m ready to hear more about the perpetrators. How did this happen? Who initiated what?

    Target is saying email addresses and mailing address have been stolen…that has to be users who used their Target REDcards to make a purchase…otherwise how would they get that information?

    I’m glad I got my new debit card. Anyone who is still not convinced they need to take all of the necessary precautions to safeguard information need a wake-up call. The numbers have jumped, the information breach has worsened. The stories we’ll hear are going to be exponentially worse.

    One thing that I sincerly appreciate is Target’s honesty throughout this whole thing.

    • Good question, Katrina.

      My guess is they will announce that the theft of data was actually occurring much earlier than November 27th. Just a hunch tho 🙂

      • A ‘smart hacker’ would have gotten into the network earlier, done a test while not using any of the cards or PII, and waited until a very busy time where not only would they net more cards, but would be less likely to be noticed by the retail end, the credit card processing end, the banking end, and the customer itself. They would have leaked out loyalty data gradually or at times when it would least be noticed, and almost definitely through a different routing point.

        It will have been earlier, probably, but not ALL will have been earlier. Maybe a few stores.

  11. Has anyone asked “what made Target THE TARGET?”

    Why not Kohl’s or Walmart?

    After all no system is really secure from the efforts of today’s determined cyber criminals.

    I think the answer may be linked to the demographics of Target’s customers as much as their system vulnerabilities. If true, the displays that the criminals had more than a basic understanding of our US Retail Marketplace.

  12. What made Target THE TARGET?”

    Why not Kohl’s or Walmart?

    After all no system is really secure from the efforts of today’s determined cyber criminals.

    I think the answer may be linked to the demographics of Target’s customers as much as their system vulnerabilities. If true, the displays that the criminals had more than a basic understanding of our US Retail Marketplace.

    • They probably looked at those also. To call Target ‘the target’ is probably erroneous at best, just like to say the others were not targets is probably also erroneous. Much of those things are loose targets with a basic understanding via google that yes these places get a lot of customers, so here is a list — see what you can get if anything. Most of it is almost certainly luck and timing, often aided with some ‘help’ via a cooperating employee at the retail (not computing) level as an ingress point. Your mistake is a common one, though.

  13. scott nicholson

    As a red card holder myself, I can tell you that while target has mentioned in an email a few weeks ago it would be offering the credit monitoring service, I have yet to be provided any information as to how to enroll in the service or even who the service provider is. #lackoftrust

    • The Target announcement dated 01/10/2014 says this:

      To provide further peace of mind, Target is offering one year of free credit monitoring and identity theft protection to all guests who shopped our U.S. stores. Guests will have three months to enroll in the program. Additional details will be shared next week.

      The Target announcement didn’t state that the additional theft extended outside of the original breach period nor did it state that it affected online shoppers, but another article I read did state those things.

  14. Is it possible that due to the high profile nature of this breach thieves are not willing to purchase and use the stolen credit card numbers? Has anyone seen any verifiable examples of fraud due to the Target breach? I saw one news report a week or two ago claiming that a person’s credit card was stolen via Target, but the underlying facts didn’t support the claim.

    • Just after posting my prior message I read this in a Chicago Tribune article:

      Due Fratelli Inc., the owners of Aliano’s Ristorante, say a corporate credit card was used at a Target in Lombard in early December, said Tom Zimmerman Jr., the company’s attorney. The owners noticed on Dec. 10 that about $1,300 in “suspicious charges” were made on the same card through Amazon.com that the owner didn’t make, Zimmerman said.

      • I have mentioned before these cards will most likely mostly only be good for Card Not Present transactions at online locations or in-storing (but with cameras these people will likely get easily caught especially in US and UK once enough data is gathered — it is not likely to be many). Amazon is one of the safer ways for carders to CNP, but they have the need for mules, which means at least a loose network or a dropshipping company willing to reship (many of these exist, and they do have legitimate uses and customers so should not be dismissed as fraudulent).

  15. Scott Nicholson

    What is truly disturbing to me, as someone who is responsible for data security/integrity/PCI Compliance for my employer, is how a corporation the size of Target appears to only to be contacting customers by email. When you sign-up for a Red Card they have access to your address. What disturbs me even more is that both my college age daughters work for Target! At the store level little if anything has been told to employees on how to address customer concerns.

    • Scott-

      18 months ago we met with a CIO’s from large financial institution who flat out denied their QSA findings with us in the room. It is no surprise to this IT Security consultant that these companies are going to be breached time and time again. IT Risk management calculates the costs vs. risks and consistently determines that they can “go another year” without making a considerable security spend to secure their environment.

      Where I think we’ll see progress is where organizations are realizing the “old guard” lacks the technical knowledge as it relates to the complexity of their corporate environment. The younger CISO/CIO’s understand the risk and are pushing senior leadership for a more aggressive proactive stance to security. Until the board of directors understand how serious this can be I’m afraid we’ll continue to see these stories each and every holiday shopping season.

      Final thought, and it should be no surprise to anyone who is familiar with this space. You can be compliant but not secure; if you build your environment securely, you will achieve compliance.

  16. I recently recieved a phone call from a nice young lady who advised me I had signed up to enter a drawing for 25k on their “partner website”. All I had to do was be transferred and answer a few basic questions.

    After being transferred the first question was the same as one of my password reset questions. I answered falsely. Questions 2 and 3 were also designed to return actionable information.

    I then advised the gentleman I was speaking with that I was a Federal Agent. He immediately hung up.

    The phone number itself thrown into Google comes back as belonging to an H&R Block out of Fresno, CA. Nobody answered when I called during business hours.

    I am not a Federal Agent.

    • I would be careful with impersonation of a federal officer. A fine line in your federal code before it is a crime. 🙂

      • voksalna, give us a break! Geesh …

        • And yet it’s true. If you don’t believe me, look it up in the US Criminal Code. Hundreds get arrested for it every year.

          • … ‘straining for gnats and swallowing camels.’ Thanks for your example of overlooking the obvious and being pedantic at the same time. We definitely need more of this. No kidding, we do.

            • My point was, beware of selective justice. Thank *you* for overlooking the obvious. He could have just said he was *calling* the federal agents. Why fight illegal behaviour with illegal behaviour? What examples does this set?

            • PS: I never claimed to be an ‘expert’. There are plenty of experts, as well as ‘experts’, on here. I wouldn’t trust anybody that called themselves an expert, either, without some very good proof; experts are responsible for breaches like this, after all (and I mean on the side of the breached institution as well); nobody can know everything, nobody can secure everything. I’m sure there is much that neither of us knows about a lot of things. I have shown humbleness. Maybe you should try it?

  17. Breach after breach after breach after breach, and what have we learned? For one, if your credit card number is not only enough to charge your card, but required to charge your card, theft is inevitable. The other thing we have learned is that companies collect way too much information about us.

    The only way to ensure security in the future is to make sure the merchant never has enough information to charge your card on their own. For example, a pay by phone protocol in which receive a transaction, which is signed by the merchant, with your private key, encrypt your details with your bank’s public key and include a transaction an identifier that is not allowed to repeat, as well as a pin number typed in on your device instead of a possibly fake keypad, and then sign the whole shebang with your private key. With a phone protocol using QR codes to provide public keys for communication over wi-fi, and a special protocol built into a browser/web server, you could actually have a unified secure system. The only issue is the security of your smartphone and PC, which probably aren’t very good, so you don’t want to store keys there, and instead want to use smartcards to handle the key storage and signing/encryption, which requires new hardware, which makes everything significantly more difficult to implement.

    The problem is that convincing banks to significantly overhaul systems is about as likely as convincing businesses to stop collecting information on us for no reason other than they can.

    Security is hard, but appearing secure is easy.

    • What do we learn? We learn from noted forum expert voksalna that it is unlawful to ‘ impersonate a federal officer’, even over the phone when speaking to a phisher or schemer …

      No sarcasm intended or desired.

      • Now you’re trolling me through other peoples’ comments and inconveniencing others who might have track-backs? That’s a pretty pathetic thing to do. As I’ve said before, if you want to have a discussion, we can have a discussion; I’d be glad to. Send me an email address (a temporary one if you like). If your point is to troll, then troll me directly. If you want to comment to his points, comment to his points. Have some forum etiquette.

        End of communique.

  18. I created the following list of addresses to assist those who wish to learn more about their credit status or place limits on the availability of their credit information. The title of the following report says it all: So How Many Consumer Reporting Companies Are There?
    http://www.whitehouse.gov/blog/2012/07/17/so-how-many-consumer-reporting-companies-are-there . In the report there is a paragraph that reads:
    “So we encourage you to take a look at the list of companies and think about which ones might be reporting on you. It’s important to ask for your report from those companies so you can correct any mistakes or see whether anyone’s been trying to hijack your identity. For example, if you’re going to rent a new apartment or home, ask the landlord what tenant background company they use, if any. You can access the list here. “ Be sure to read the list because there are credit reporting agencies that have specialties. Under “ SUPPLEMENTARY/ALTERNATIVE CREDIT REPORTS”, there are companies that offer free credit reports.
    Information about free credit reports is available at
    http://www.consumer.ftc.gov/articles/0155-free-credit-reports .
    Some people may wish to put a security freeze on their credit reports. Here is some general information on security freezes: http://en.wikipedia.org/wiki/Credit_freeze . The following are freeze links.
    Innovis
    https://www.innovis.com/InnovisWeb/pers_placeSecurityFreeze.html
    Experian
    http://www.experian.com/consumer/security_freeze.html
    Equifax
    https://help.equifax.com/app/answers/detail/a_id/159
    Transunion
    http://www.transunion.com/personal-credit/credit-disputes/credit-freezes.page

  19. NBC’s story: http://www.nbcnews.com/business/feeling-vulnerable-how-target-shoppers-can-protect-their-info-2D11898818

    Brian is quoted: ” Be wary of email correspondence
    “If you see an email that asks you to click a link to a site and provide sensitive information, stop and don’t click or provide any data,” said Brian Krebs, who first exposed the Target breach.”

  20. I’ve come to the conclusion that either Target Corp. has either been deliberately misleading its customers since day 1 of this breach as to its severity, or they’ve been completely incompetent and negligent in their IT security processes.

    Either way, you can’t trust anything they say or trust them to do what’s right.

    I’m done with Target.

    • I thought that Target was letting out minimal info because the fed goverment is involved and it’s an active investigation.

      Right now I’ll bet $50 that someone on the Target IT security team is involved. An inside job along with possible outsiders.

      • +1 for first sentence. It is indeed an ongoing investigation and the more they leak out the more they risk telling the perpetrators what they know while also telling other people what they know and increasing false leads and bad times and creating more paperwork to wade through (I am guessing).

        Most people think breach! I must know everything! But it takes time for them to know things. Speculation and early release of data makes investigation harder not easier.

  21. I’m the one who posted earlier today about how for the past year, Target Corp. has failed to provide timely updates about activity on my Target store credit card. Even though all of my account security warning alerts haven’t changed, it now takes as long as a week for Target to send me an email or text-message alert letting me know a charge was posted to my card. These text-message updates used to come in real-time – either as I was leaving the checkstand or while I was getting into my car in the store parking lot.

    I did just receive a generic email letting me know As you requested, this is to let you know your Target REDcard® balance is now greater than $100.00.

    To view your account activity, make a payment or stop this alert, go to Target.com/rcam and sign into Manage My REDcard.

    Thanks for using Manage My REDcard!

    There’s still been no text alert to my phone or email alert letting me know a purchase for a few hundred dollars (Bose headphones that I bought yesterday morning) has been charged to my account. I’m paying off this bill and closing my Target store credit card account. If they can’t provide me with the basic level of security alerts that I requested (and signed up for), I don’t need to do business with them.

  22. How they did it is not a mystery. What is a mystery is why the basic controls that would prevent this weren’t in place. Point of Sale malware is nothing new. Do an Internet search on ‘POS Hacking’ and you will find lots of info like this:

    http://www.scmagazine.com/malware-that-steals-from-point-of-sale-systems-detected/article/274182/

    There is a lot (and I mean a LOT) of POS attack software out there, most of it probably written by those with access to inside technical details. Edward Snowen of the Point of Sale industry anyone?

    • Maybe the controls were in place and someone bypassed them in an apparent legitimate manner.

      I have absolutely no info backing my gut feeling that this was partially an inside job, but think about the situation if it was. Someone with authority and access could have set this up even if the tightest controls had been implemented.

  23. Here’s a question…. Target is offering credit monitoring, but no option for a “guest” to remove their info from Target databases. Why not? Why can’t a customer ( not a Redcard holder for obvious reasons- finance thru Target) opt out of being in the Target database if they no longer want to receive discounts or fliers etc, why can’t the customer record be deleted? Sadly, it’s because Target will claim ownership of the database (including the record) even if you didn’t realize you were in it. So it’s “your” name and address, but the record of it in Target’s DB belongs to them. As soon as you give a company any PII, you actually lose control over it.

    • KrebsonSecurityFan

      My prediction is that in the future a database owner will one day charge someone for the task of removing that someone from the owner’s database.

      It will be similar to having an unlisted telephone number.

  24. So the breach is now up to 110M. Given the type of data now reported breached it’s clearly Target’s databases have been successfully attacked. Question is was this a two pronged attack, PoS and databases or was the database attack only actually discovered once Target began investigating the original PoS attacks?

  25. This is where I am curious – how does Target have my email in the first place. I used my debit card at Target during that timeframe (replaced that right away) but I have gotten emails from Target since about the issue (well, either them or the people that stole the email info) and I am curious – how do they even have my email address? I don’t give that information out when asked at the register at any store, and Target doesn’t even ask for it (some stores do which is annoying) and I don’t have a Target card at all. I don’t give out my phone number at the register either. So where did they get it – data mining for customer info based on a credit card number? This is what bothers me even more about the whole thing. I don’t have facebook/twitter/linkdin/etc account so where did it come from?

    • Very good question. The answer is probably your bank. I’m sure they were notified by Target, and most likely have a data sharing agreement with them. Data mining or database sharing seems to be very prevalent. I recently made a phone inquiry to someone I had never spoken with before at the Smithsonian. I left a voice message with only my phone number. The next day I received an email from that person. I have no idea (well I can guess) how he got my email address. It was very creepy.
      The expansion from 40 million to now possibly 110 million and the new breach at Neiman Marcus is very worrying. I wonder if there is a connection? Could it not have been their databases, but rather a banking center or card processors database?

      • I get creeped out by ads that show up in my browsing sessions, for stuff I never bought online, and never so much as went to any online site related to those businesses; so I think you right – information sharing through credit card industries is about as promiscuous as you can get! 🙁

        These are adds for things that just don’t normally advertise anywhere, ever – so that part was very surprising to me! They hit the exact type of item I buy, and model numbers, etc. Very specific and VERY creepy! :O

  26. According to a NYT article, the number is 110 million people (presumably from adding 70 mil and 40 mil) constituting approximately 1/3 of the people in the country. Such an enormous data breach is, of course, alarming for many reasons. As a consumer attorney, the problem that jumps out for me, is that debt buyers such as Midland Funding LLC and CACH LLC will eventually obtain affected accounts and sue many of the people whose information was stolen, claiming a right to be paid on alleged consumer debts.

    The Target incident will likely result, indirectly, in vast numbers of court judgments against consumers, by means of which debt buyers will be permitted to drain the bank accounts and levy the wages of countless individuals.

    In theory, rules of evidence require certain standards of reliability, and these rules would help protect consumers from unsupported judgments. Under the rules of evidence, witnesses need to authenticate business records and give affirmative reasons why they should be found reliable. In practice, I have seen many judges in collection cases ignore the evidence code, concluding that evidence presented by institutions is defacto reliable.

    Debt buyers generally have no familiarity with underlying issues of compromised accounts or instances of fraudulent charges, but they will blithely testify to the validity of debts and many judges will take their testimony at face value.

    The big lessons from this incident probably concern computer security. But, as an attorney who represents consumers against debt buyers, the lesson I see is that judges should follow the evidence code in collection cases, a point also made in a blog post dated 1/10/2014 at http://www.californiacollectiondefense.com/target-fiasco-exemplifies-courts-ignore-evidence-code/.

    • thehumandefense

      Ian,
      I agree that your correct and that the situation you have described will probably occur.
      I think the key result of this breach and all of the others in the last 24 months is my mantra “Security is not a technology solution, but a human resolution”. The U.S. companies have spent 100million dollars or more in 2013 and 2012 on technology solutions for protection. The breaches keep happening and with greater frequency then ever. I have watched this trend since the first Verizon Data Breach Investigation Report in 2008.
      It’s time to take notice, we must educate, train and help companies utilize their best and first line of defense…….people.
      Donuts to dollars, this was a targeted attacks against specific employees who had been social engineered.

  27. thehumandefense

    Richard,
    The reason for this is because the CVV (4 or 3 digit code) code on the back or front of a card is for online or over the phone purchases. The CVV code in the mag strip is to indicate that the card was present for the purchase. If I do not have that code, I cannot clone the card. This is why they wanted the credit cards only presented at the stores. It also tells me that they knew Target (assuming) segmented that data from online purchases. These 2 breaches are the game changer for the entire retail industry.
    I will say it time and time again. It’s not a matter of if you’ll get breached, but when. Ask anyone who rides a motorcycle.

  28. I watched this story on Brian’s site since the very beginning. We rarely use our (one and only) credit card at Target because there isn’t one nearby, so I wasn’t worried. Just before Christmas, I mentioned this break-in to my wife by happenstance and she confessed that she had gone to the closest Target she could find to buy gift cards for our nephews. I checked our online statement and nothing appeared amiss.

    Practically, the next day we headed out of town for vacation. While at a Christmas eve service my phone rang. I ignored it. It rang again and I turned it off. By the time the service finished and I could get my phone back on, I had received two calls and three texts from my credit card company. They asked if we had charged $550 at a Target in NYC earlier that afternoon. I said, ‘no, we were hundreds of miles from there’. The bank told us that they had seen two transactions at the same Target in NYC (not the one my wife used) within a few minutes of each other for the same amount and had approved the first, but didn’t approve the second. Bang! Card cancelled. Only problem was that we were now on vacation without a credit card. It quickly became a cash-only vacation for us. Good thing that I didn’t have to check into a hotel or rent a car or anything.

    It seems to me that with Target and Neiman Marcus being hit, that the compromise had to be in some part of the system where transactions were aggregated – perhaps like the payment gateway to the merchant bank. I’m not in retail, but I would assume that the transactions are executed at the store and then passed to a centralized Target payment gateway which then communicates with the Merchant Bank. It wouldn’t surprise me if the retail stores had a distinct payment process than does the online part of the business and perhaps even use a different Merchant Bank, which might explain why only brick-and-mortar were compromised.

    If a hacker managed to compromise one of the providers it would be lights out.

    Great work, Brian.

  29. I’ve worked for Target as an IT temp in the past. They are a decent company, and have a strong IT dept. that assists law enforcement with IT forensics for free. I see a lot of Target bashing here, but the truth is (speaking as a server administrator) that there’s no such thing as a secure system. Every single retail, banking, etc. business has IT risks. Every. Single. One. Lots of bad things going on that nobody hears about; at least we know about this one.

    • TheHumanDefense

      Lilia,
      You are correct. The 2013 Verizon DBIR indicated exactly what you said. Not a single industry was missed in 2012. Everyone had a breach, every single industry. All the way from Utilities to the Defense industry.
      I sincerely hope that no one thinks I am bashing any of these companies. I am merely making the point that as soon as they know what is causing the breach, the sooner they get that information to their competitors, the less the card companies and consumers are impacted by more breaches.

      One other point about the India chatter. These crimes have no state line, they have no boarders, they are organized with clear objectives. I recall Gen. Alexander in 2011 saying “The next 9/11 will be in cyber space”. As much bad press as he may be getting, he is not an idiot and probably I not far from the mark. This type of breach could put small community banks, credit unions, and others into ruins. Just because the FDIC protects the consumer, it does not mean that the banks or credit unions will be. Their doors could be shut by such losses and jobs will be lost.
      Lets stop looking at this crime as where and why, but look at how we can better come together as security professionals, and stop the competitive atmosphere. We have proven in the past 11 years what we can survive as a country when we come together. But we have also proven how we can implode when we fight each other.

      Thank you Lilia for posting this, as I can see where some of my comments and others might seem like bashing. I don’t know the intent of the other comments, but I hope I have explained my position.

      The Human Defense

      • Maybe the card companies need to go to a Paypal model – not that Paypal hasn’t had a few problems in the past. But at least the customer information is non-existent at the store, and, hopefully stored on a Fort Knox defense server system to authorize purchases form brick and mortar businesses.

        You still have the problem of the customer authentication at the POS location. but I’ve seen several simple technologies that are economical for commerce solutions for this as a 3rd factor. I really wonder if these crackers have defeated chip & pin before it has even started? Until we know everything about the breach method, we are in the dark.

    • Valuable comment, Lilia.

      I still shop at Target, I see no reason to punish them. Not yet, at least. I had a credit card number stolen in early 2013, had nothing to do with Target and I never found out if it was part of some widespread breach or something smaller. It’s the hazard of our era. We humans used to be eaten by predators. I’d rather have my credit card number stolen. 🙂

  30. I am very concerned about the possibility of identity theft as a result of this breach, and also in general. We have had the experience several times in the past ten years. Once someone changed our address on an account, which resulted in the new address appearing on our credit report. Then they used that new address to apply for an internet Visa, using our credit. Since the address was on our report and we have good credit, the new account was opened with a $20k credit limit. These are not fun things to resolve. I am considering signing up for one of the credit monitoring services and I’m wondering if Brian has ever reviewed how well they do what they claim. There are at least 11 different ones I have found. Brian, do you have any thoughts about whether these services are worthwhile? I am not so much concerned about the cost if I can outsource some of this necessary monitoring to a reliable partner. Thanks for your incredible reporting!

    • Martha,
      I understand how you feel. I have been a victim of ID theft myself on 2 occasions and was just notified last week that one of the local universities I have attended was breached for 2.6 million SSN’s. However, this breach and the Neiman Marcus breach are not indicating a breach of SSN’s but just card info. As Brian stated in some above post, more then likely, you will just get a lot of spam and phishing emails due to this other data stolen of email addresses names and all of that. Your situation sounds like someone has gained access to a SSN and are using it to apply for credit, maybe utilities, or even false employment.
      Definitely make sure that your never using links in emails to go anywhere unless you just changed your password on a site and are anticipating that email. Otherwise use the site itself for any questions that might come up in a possible email that you were not anticipating.
      You can typically hover over the link and see if the URL is legitimate, but even that has not been proven full proof. However, if you get a not and not sure if you should click, always follow that gut instinct.
      95% of ID theft stems solely from the theft of an SSN. In these situations, using any credit monitoring offered by the organization breached is very important to catch them in the act.
      Make sure you are reporting any notice of a SSN breach to each of the three credit reporting agencies. All three operate independent of the other. Not saying you don’t already know this, but some folks I talk to think they are all somehow related to each other.
      I have been here, and not to make it sound even worse, but it has taken about 11 years for my last ID theft to stop haunting me. Oh, and file a police report with your local law enforcement that your ID theft occurred. They will try to tell you they don’t do that, but most of the larger police departments have ID theft detectives, or Fraud Detectives. Try and talk to them. This police report makes it possible to have the credit agencies remove the bad inquiries from your report.