Target: 40 Million Cards at Risk

Investigation Into Retailer's Breach Launched
Target: 40 Million Cards at Risk

Target Corp. confirms that a network intrusion may have exposed approximately 40 million debit and credit accounts. U.S. point-of-sale transactions conducted between Nov. 27 and Dec. 15 were likely affected, the company says.

See Also: Healthcare Breaches - The Next Digital Epidemic

The big box retailer operates 1,797 stores in the U.S. and 124 in Canada.

Target says it "has identified and resolved the issue," and is now working closely with law enforcement and banking institutions. Various media outlets have reported that the Secret Service is involved in the investigation.

The company did not say how the network was penetrated.

"Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts," the company says. "Among other actions, Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident."

Reports About Breach

News of a possible breach of card data broke Dec. 18, when security blogger Brian Krebs reported that a breach that started on Black Friday had likely affected an unknown number of Target customers who shopped at the company's main street stores.

But Target now confirms that the breach actually began two days earlier.

Several sources tell Information Security Media Group that MasterCard and Visa have both issued alerts about the alleged attack, and one executive from a leading U.S. card issuer, who asked not to be identified, says MasterCard has so far issued nine fraud alerts believed to be linked to Target.

Another executive from a second leading issuer, which has seen activity suggesting a Target attack, says it's likely that fraud activity is limited to only a handful of issuers at this point.

"Perhaps the fraudsters are selling this info by card type," the executive, who asked not to be identified, says. "I hear from contacts at a processor that activity indicates that they might be going BIN [bank identification number] by BIN. We haven't seen a spike in volume yet, but we are monitoring."

Other Breaches

The breach of card data linked to Target is just the latest in a long line of card retailer breaches.

Targeted malware attacks against grocery chain Schnuck Markets Inc., supermarket chain Bashas' Family of Stores, convenience store chain MAPCO Express, and retail tool store chain Harbor Freight Tools were all blamed for card breaches.

Earlier this month, JPMorgan Chase confirmed a breach of its UCard Center website, which exposed some 465,000 prepaid card accounts. And in May, a similar prepaid card breach, which was traced back to two Middle Eastern Banks, was linked to a $45 million global ATM cash-out scheme dating back to late 2012.

Industry experts say these types of attacks are escalating because of poor point-of-sale and network security, which too often relies on outdated software and default passwords for remote network and system access.

About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network