40 Million Target Customers Hacked

December 23, 2013

The Official Merchant Services Blog tackles the big news in the payment processing industry today: The major hack of discount retailer of Target that stole credit and debit card data from 40 million accounts right smack dab in the middle of the holiday shopping season.

The sophisticated hack reportedly took place over several weeks — starting on Black Friday and possibly extending all the way through December 15th — and is said to involve nearly all Target stores in the United States. News of the hack was initially reported by noted security blogger Brian Krebs, who also broke the news in 2012 of the Global Data Breach.

The Global Breach is particularly relevant in this Target breach because of the type of data stolen — also known as “track data.”

Track data, is the raw cardholder data contained in a magnetic strip in a credit or debit card. Stealing this data  allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe.   If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs. This is the same type of data that was taken from Global.

On December 19, Target confirmed the data breach. In their press release they state: “Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013. Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts.  Among other actions, Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident.”

TargetBreach1

What is Target doing?

As part of its recovery process from this hack, Target has offered affected customers a free credit monitoring service and set up a telephone hotline. It also offered a store-wide 10%discount on Saturday and Sunday to all customers.

Many news outlets speculate that the discount was in response to flagging business right at the apex of the holiday shopping boom. Retail consulting firm Consumer Growth Partners estimated that customer transactions at Target stores declined on Saturday compared to the same weekend last year. But regardless, it was a gesture from the company to its customers at a time when the news of this breach was causing concern about even going into the store, which in Delaware (homebase of Host Merchant Services corporate offices) is one of the cornerstones of the Christiana Mall shopping megalopolis.

Target also said:

  •  The unauthorized access took place in U.S. Target stores between Nov. 27 and Dec. 15, 2013.  Canadian stores and target.com were not affected.
  •  Even if you shopped at Target during this time frame, it doesn’t mean you are a victim of fraud. In fact, in other similar situations, there are typically low levels of actual fraud.
  •  There is no indication that PIN numbers have been compromised on affected bank issued PIN debit cards or Target debit cards. Someone cannot visit an ATM with a fraudulent debit card and withdraw cash.
  •  You will not be responsible for fraudulent charges—either your bank or Target have that responsibility.
  •  We’re working as fast as we can to get you the information you need.  Our guests are always the first priority.

 

Target also said that it began investigating the incident as soon as it learned of the breach, calling in a third-party forensics firm to assist. Target stated it notified banks and law enforcement as soon as it learned of the hack. And the Secret Service, which safeguards the nation’s financial systems, said it was investigating. Then on December 19, New York Attorney General Eric Schneiderman pledged to investigate.

What Else is Happening?

In the wake of this hack, lawsuits have cropped up. These class-action lawsuits against the Minnesota-based company were filed in U.S District Court on December 19 from three Target customers. According to reports, the shoppers are suing on behalf of all people who might be affected and accused Target of negligence. They also claim that contrary to Target’s claims, the retail giant did not notify customers as soon as it learned of the credit card theft.

Lawsuits were also been filed in California and Oregon. The basis for those claims also center around when Target knew about the breach and how long the company waited. If granted class action lawsuit status, the damages could be in the multi-million dollar range.

How Big a Deal is This?

Something to keep in mind about these suits and about the breach itself is that the data breach is rather mundane when compared to breaches of the past.

In April of 2011, the Playstation Network was hacked, compromising the vital information of 77 million accounts, and 24.5 million Sony Online Entertainment accounts. This has been touted as one of the largest personal data heists recorded in history, and prompted Sony to shut down its services for a month.

In 2009, credit card processor Heartland Payment Systems disclosed that thieves had broken into is internal card processing network, and installed malicious software that allowed them to steal track data on more than 130 million cards.

What this means is that the Target breach is big but not challenging for the record books. And that in light of these larger breaches in the past, the class action suits being filed may not gain much traction. The timing of the Target breach makes its impact rather large when compared to the above mentioned breaches. A retailer breached during the holiday shopping blitz is cause for concern and as cited, did scare business away during this past weekend. But Target seems to be rolling with the punches thus far.

Host Merchant Service’s PCI Compliance Initiative

Looking at the threat of a data breach, Merchants must wonder what the solution can be. Is there protection available? PCI Compliance is a great foundation for transaction security. The standards and protocols set up by the PCI-DSS Council are the first step a merchant needs to take to protect their data. And Host Merchant Services offers a PCI Compliance Initiative that helps its merchants quickly and seamlessly take that step.

Also, one thing to consider if you are a merchant and you are worried about data breaches affecting your bottom line: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.

Save Time, Money, & Resources

Categories

E-commerce, Industry News, Merchant Services

Contact HMS

Ready for the ultimate credit card processing experience? Ask us your questions here.