Yesterday, Target stores announced a data breach affecting customers who purchased items in stores with their credit card or debit cards from November 27 to December 15, 2013. The specific payment information stolen included customers' names, card numbers, expiration dates, and the three-digit CVV security numbers.
While the Target breach announcement did not disclose the total number of shoppers affected, Mashable and TechCrunch reported that 40 million consumers were affected by the breach. That is a massive breach. Target has 1,797 stores in the USA and 124 in Canada. Shoppers at stores in Canada were not affected. DNB, Norway's largest bank, confirmed that at least 2,000 shoppers visiting from Europe were also affected.
Several media sources have reported that the Target breach is the second biggest in the USA to the TJX/TJ Maxx breach, but it is probably third biggest if you consider the Heartland breach. These size comparisons are useless because many companies don't disclose the number of breach victims affected.
TechCrunch also reported:
"The company moved quite slowly on this breach. On December 12 Brian Krebs reported the first rumors of the attack, suggesting it consisted of a wholesale scraping of “track data,” the data found on each credit card magnetic track. Krebs suggests that the thieves may have broken into the stores’ wireless networks and grabbed the card information as it was transferred from the cash registers."
The New York Times reported:
"By breaching point-of-sale systems, cybercriminals can create counterfeit cards. If they were able to intercept the PIN information, as well, it is also possible that thieves could withdraw money from a customer’s account through an A.T.M. A similar breach affected Barnes & Noble stores last year. In that case, customers at 63 Barnes & Noble stores across the country, including New York City, San Diego, Miami and Chicago, were affected."
The Target breach announcement did not disclose details about how the retailer's systems were hacked. The retailer's announcement included the usual comments: a forensics firm is helping it investigate the breach incident; it is working with local law enforcement, and it has notified banks financial institutions. The U.S. Secret Service is also investigating the Target breach.
Target listed several questions in its breach announcement. One claimed that the breach has been resolved:
"Has the issue been resolved?
Yes, Target moved swiftly to address this issue so guests can shop with confidence. We have identified and resolved the issue of unauthorized access to payment card data..."
I find this claim about resolution premature and difficult to believe, since the breach investigation is still ongoing. The hackers may have accessed Target's systems through several methods, not just the first method identified and closed.
The Target breach announcement advised affected shoppers to do the following to protect themselves and their payment information:
- Read the breach notice closely,
- Monitor your bank accounts and card statements for fraudulent transactions,
- Watch your credit reports for fraudulent transactions,
- Visit the official Annual Credit Report website to obtain your free credit reports,
- Contact the major credit reporting agencies to learn more about credit reports and how to place a fraud alert on your credit files,
- Contact the U.S. Federal Trade Commission (FTC) to learn more about identity theft and how to protect yourself
The Target breach announcement included additional information for consumers to contact the FTC, plus specific instructions for shoppers who live in Iowa, Maryland, Massachusetts, or North Carolina.
After writing this blog for over six years, I have learned a fair amount about data breaches. Affected shoppers should proactively monitor their financial accounts for the next couple years, because identity thieves usually resell stolen payment information to other thieves. So, the thieves that hacked Target's systems won't necessarily be the ones to attempt fraud with shoppers' stolen payment information. While thieves are in no hurry to use the stolen payment information, payment information stolen from the Target breach is already being sold online.
Usually, companies provide free credit monitoring services to breach victims, but Target has not offered that. After its data breach, IBM provided me and other affected breach victims with one year of free credit monitoring.
Consumers that shopped at Target during the above period with a debit card PIN number should change their PIN number, so theives cannot drain their bank accounts through ATM withdrawals. Wise shoppers will also change the passwords on their bank accounts. Shoppers that experience actual fraud (e.g., stolen money from their financial accounts, new accounts opened in their names) will probably want to request a fraud alert (or a security freeze for more protection) on their credit reports and have their banks issue replacement accounts (and cards).
Do I use a debit card to pay for purchases in retail stores? No. It is simply too risky. There have been many breaches at retail stores. When you use your debit card to pay for purchases, you are betting that identity thieves have not hacked:
- The point-of-sale terminals (e.g., payment terminals) in the stores, and/or
- The wireless transmissions between the retail stores, any centralized databases the store operates, and the banks.
Plus, stolen debit card payment information provides thieves direct access to your checking accounts.
And, it is especially risky at gas station pumps, which are also point-of-sale terminals due to pay-at-the-pump payment options. The problem: the gas pumps are unattended and accessible by the public for long hours when gas stations are closed. That makes it easy for identity thieves to tamper with gas pumps and insert skimming devices. And many have.
I expect much more news during the coming days or weeks as Target and the U.S. Secret Service share the results of their investigations. If the banks issue replacement debit cards and checking accounts to breach victims, then somebody will have to pay for the replacement cards: the banks or Target.
[Update Dec. 21: In a letter to its shoppers published on its website, Target CEO Gregg Steinhafel mentioned that the retailer will offer, in a future correspondence to affected shoppers, free credit monitoring services.]