Story Summary

Target credit and debit card security breach

A breach of credit and debit card data at discount retailer Target may have affected as many as 40 million shoppers who went to the store in the three weeks after Thanksgiving.

Target said cards used at the brick-and-mortar stores between Nov. 27 and Dec. 15, 2013, may have been impacted.

Target has also set up a phone line for customers who suspect there has been unauthorized activity on their accounts. Shoppers can call 866-852-8680.

 

Story Timeline
Previous Next
This story has 9 updates

A security firm has identified a teenager in Russia as the author of the malware used in the cyberattacks against Target and Neiman Marcus, and warned retailers to be prepared for more potential breaches.

Investigators have been probing the recent holiday season cyberattack where a massive breach at Target compromised credit card numbers and other personal information of 70 million customers.

In a statement published Friday, Security firm IntelCrawler said the breach was the result of malware that infected Target’s system and possibly compromised the systems of other retailers. Neiman Marcus reported a similar security breach this month.

The malware, which IntelCrawler describes as an “off-the-shelf” product known as BlackPOS, was allegedly written by a 17-year-old with roots in St. Petersburg.

New breaches?

Experts say the teenager who made the malware shared it with others.

“Well, we should be worried. One of the things the hackers do is take the malware as it’s called. Once it’s identified, then the security community can rally around it and put controls in place. But the problem is, the hackers know that. And they manipulate or mutate this malware, and then reuse it,” SecureState CEO Ken Stasiak said.

“We believe that he originated the code, or the malware everybody’s calling it now. And was able to put it up on the Internet for download for other hackers to then take, and potentially use it for malicious harm. And that’s what we believe happened to Target and Neiman Marcus.”

The first sample of the malware was created in March and since then, more than 40 versions have been sold around the world, IntelCrawler said. It first infected retailers’ systems in Australia, Canada and the United States.

Andrew Komarov, IntelCrawler CEO, said most of the victims are department stores and said more BlackPOS infections as well as new breaches could appear soon. Retailers should be prepared.

“The numbers could be staggering, really, because what the retailers are looking at are potential class action lawsuits,” CNN legal analyst Paul Callan said.

“Let’s say hypothetically, a retailer has 40 million transactions by 40 million different customers. All 40 million may have been damaged in some way, and under law they can all be joined together in a class action lawsuit.”

CNN’s George Howell contributed to this report.

TM & © 2013 Cable News Network, Inc., a Time Warner Company. All rights reserved.

Profressor and Director of The Center for the Study of Fraud and Corruption at St. Xavier University, William Kresse talks latest in Target breach

Profressor and Director of The Center for the Study of Fraud and Corruption at St. Xavier University, William Kresse talks latest in Target breach

The data breach at Target was significantly broader than originally reported: The company said Friday that 70 million customers had information such as their name, addresses, phone numbers and e-mail addresses hacked in the breach.

The company had previously said 40 million shoppers had their credit and debit card information stolen in the weeks following Thanksgiving.

Target said the hacking is not a new breach, but that it was discovered as part of the investigation into the theft of card information.

Target also said Friday that sales had been stronger than expected before its original announcement on Dec. 19 but fell sharply after the news. Target (TGT, Fortune 500) warned that sales and profits for the current quarter would be lower than expected because of that loss of consumer confidence.

TM & © 2013 Cable News Network, Inc., a Time Warner Company. All rights reserved.

Target confirmed today that debit card PIN data was stolen during a security break on Black Friday.
More than 40 million accounts are affected.
William Kress from Saint Xavier University is a professor who specializes in identity theft and fraud. He joined the WGN Evening new to discuss the developments.

Target is now confirming that debit card pin data was stolen from customers as part of a breach of 40-million accounts.

targetA spokesperson for Target issued a statement saying:

“The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken.”

And experts believe it is unlikely that thieves can access that pin information because that data was encrypted.

Target faces almost two dozen lawsuits filed by consumers after details of the initial breach were released.

Target is offering an apology and a store-wide sale this weekend, after the massive hacking attack that impacted 40 million customers’ credit and debit card information.

They are offering customers 10% discounts.

A class action lawsuit in Chicago is one of two suits accusing target of lax security.

Several angry customers said  they can’t get through on the hotline or website to get questions answers Friday.

A Target spokesman said they’re trying to handle the backlog by adding support team workers.

A breach of credit and debit card data at discount retailer Target may have affected as many as 40 million shoppers who went to the store in the three weeks after Thanksgiving, the retailer said Thursday.

Late Wednesday, the Secret Service, which is charged with safeguarding the nation’s financial infrastructure and payment systems, confirmed it was investigating the breach.

Spokesman Brian Leary declined further comment.

The breach first came to light via a report from respected security researcher Brian Krebs, who said Target had suffered a data breach around the time of Black Friday last month “potentially involving millions of customer credit and debit card records.”

Target, the nation’s No. 2 general merchandise retailer after Wal-Mart Stores, said cards used at the brick-and-mortar stores between Nov. 27 and Dec. 15, 2013, may have been impacted.

Target didn’t specify how its systems were hacked. But judging by the scope of the breach and the kind of information criminals got, security experts say hackers targeted the retailer’s point-of-sale system. That means they either slipped malware into the terminals where customers swipe their credit cards, or they collected customer data while it was on route from Target to its credit card processors.

The retailer said it notified authorities and financial institutions immediately after it was made aware of the unauthorized access, and had hired a forensics team to thoroughly investigate how the breach may have happened. The issue that allowed the breach has been identified and resolved, according to Target spokeswoman Molly Snyder.

“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence,” CEO Gregg Steinhafel said in a statement. “We regret any inconvenience this may cause.”

The thieves reportedly gained access to data on the magnetic strips of shoppers’ cards, potentially allowing them to produce counterfeit versions, according to Krebs.

The thieves could also potentially withdraw cash from ATMs using counterfeit debit cards if they were able to intercept PIN data from Target, he said.

Many major credit card companies and banks — including American Express, Discover, Bank of America, Chase, Wells Fargo and PNC — said they were monitoring the situation, and encouraged customers to alert them to any possible fraudulent charges. In data breach situations, customers aren’t on the hook for any fraudulent charges. Someone further up the chain — the card issuer, or sometimes the merchant — is responsible for those costs.

Visa and Citigroup did not respond to requests for comment, and HSBC declined to comment.

Target competitor TJX Companies — which operates discount retail chains T.J. Maxx and Marshalls — fell victim to one of the worst security breaches ever back in 2006, when hackers gained access to at least 94 million domestic and international accounts containing credit card, debit card, and check information.

If you suspect your information has been compromised: Call your credit card company, bank and Target. Credit card companies generally offer customers fraud monitoring services at no cost, and customers aren’t on the hook for any fraudulent charges. Typically, the card issuer or the merchant is responsible for those costs.

But don’t wait for your card company or bank to call you. Let them know you’ve shopped at Target recently. All you have to do is call the number on the back of your card.

Target has also set up a phone line for customers who suspect there has been unauthorized activity on their accounts. Shoppers can call 866-852-8680.

TM & © 2013 Cable News Network, Inc., a Time Warner Company. All rights reserved.

As many as 40 million Target shoppers who hit stores in the three weeks after Thanksgiving had their credit and debit card information stolen.

If you’ve visited a Target over the past several weeks, there are a four steps you should take immediately to protect yourself.

1) Check your statement. It may seem obvious, but the first step you should take is looking for any charges you don’t recognize on your statement.

Don’t just look for large charges, either. Hackers often ping an account with micropayments of only a few cents to check the viability of the account. So if you see purchases of 6 cents or 11 cents, that could be a sign your information has been compromised.

2) Call your credit card company, bank and Target. Credit card companies generally offer customers fraud monitoring services at no cost, and customers aren’t on the hook for any fraudulent charges. Typically, the card issuer or the merchant is responsible for those costs.

But don’t wait for your card company or bank to call you. Let them know you’ve shopped at Target recently. All you have to do is call the number on the back of your card.

Target has also set up a phone line for customers who suspect there has been unauthorized activity on their accounts. Shoppers can call 866-852-8680.

3) Replace your credit card, change your PIN. If the bank didn’t already do this for you, do it yourself. This will put an end to any more fake charges.

Once you receive your replacement card, make sure to update your new card information with any companies that have your account on file for automatic payments or monthly fees, like your Apple iTunes account or cable provider.

4) Sign up for a fraud monitoring service. If you’re concerned about credit card theft going forward, LifeLock and other similar threat detection services claim that they can monitor your card activities and alert you when your account has gotten into the wrong hands. Most credit card companies offer similar services for free, but threat detection services say they go above and beyond, including offering protection of credit card information on the Internet and even lost-wallet insurance.

TM & © 2013 Cable News Network, Inc., a Time Warner Company. All rights reserved.

Advertisement