Card Issuers: Target Stores BreachedMillions of Cards May Have Been Exposed
A breach that apparently began on Black Friday may have exposed millions of credit and debit cards used to conduct transactions at Target retail stores, two major U.S. card issuers tell Information Security Media Group.
See Also: Rethinking Endpoint Security
The alleged breach, which has not been confirmed by Target or major card brands Visa and MasterCard, was first reported Dec. 18 by security blogger Brian Krebs.
Krebs writes: "The breach was initially thought to have extended from just after Thanksgiving 2013 to Dec. 6. But over the past few days, investigators have unearthed evidence that the breach extended at least an additional week - possibly as far as Dec. 15. According to sources, the breach affected an unknown number of Target customers who shopped at the company's main street stores during that timeframe."
A Target Brands Inc. spokesman told the Minneapolis Star Tribune that Target is "checking out the report." The company declined to immediately reply to Information Security Media Group's request for comment.
But several sources tell Information Security Media Group that MasterCard and Visa have both issued alerts about the alleged attack. One executive from a leading U.S. card issuer, who asked not to be identified, says MasterCard has so far issued nine fraud alerts believed to be linked to Target.
Speculation about Breach
For now, much of what is circulating about a possible breach is speculation, other card issuers say. Meanwhile, an executive from a second leading issuer, which has seen activity suggesting a Target attack, says it's likely that fraud activity is limited to only a handful of issuers.
"Perhaps the fraudsters are selling this info by card type," the executive, who asked not to be identified, says. "I hear from contacts at a processor that activity indicates that they might be going BIN [bank identification number] by BIN. We haven't seen a spike in volume yet, but we are monitoring."
An executive with a third card issuer, who also requested anonymity, suggests the attack may have only impacted debit and credit REDcard accounts, which are issued by Target Card Services. "I am sure that issuing FI [financial institution] has seen that trend before anyone else," the executive says.
Information Security Media Group will post additional updates as they are available.
The apparent breach of card data linked to Target is just the latest in a long line of card retailer breaches.
Targeted malware attacks against grocery chain Schnuck Markets Inc., supermarket chain Bashas' Family of Stores, convenience store chain MAPCO Express, and retail tool store chain Harbor Freight Tools were all blamed for card breaches.
Earlier this month, JPMorgan Chase confirmed a breach of its UCard Center website, which exposed some 465,000 prepaid card accounts. And in May, a similar prepaid card breach, which was traced back to two Middle Eastern Banks, was linked to a $45 million global ATM cash-out scheme dating back to late 2012.
Industry experts say these types of attacks are escalating because of poor point-of-sale and network security, which too often relies on outdated software and default passwords for remote network and system access.