Target Suffers Massive Data Breach on Black Friday Benjamin J. Roethig December 19, 2013 News 5 Comments If you shop at U.S. big box retailer Target you’ll want to listen very carefully. According to a press releasefrom the retailer, payment data from about 40 million credit and debit cards has been stolen by hackers. The date of the hacks was between November 27th, the day before Thanksgiving and the start of Black Friday, and Sunday, December 15th. The retailer says it is working with law enforcement, forensic companies, and financial institutions on the breach. So what kind of information did they hackers get? A report from KrebsOnSecurity.com is very troubling. The data stolen is apparently the data stored on magnetic strips of payment cards was accessed through a breech of their point of sale system. With this information, they could make counterfeit cards with access to your accounts. It is unknown if they also have access to pin numbers, which would give them access to ATMs. The hack affects almost all of the chain’s 1800+ U.S. retail locations. If you shopped at Target during that time period, please watch your accounts very closely for charges you did not make or unauthorized withdrawals. If you notice irregularities, please contact Target at 866-852-8680. Also contact your bank and law enforcement. I have contacted Target to clarify the effects on customers with Target’s in store RedCard. If there is any additional movement on this story, Geek Beat will let you know here. Sources: Target, Krebs on Security. Update: Molly Snyder from target’s public relations team sent out an update to day. I though I’d give you guys a snippet of things that will be applicable to you. We are continuing the process of reaching out to guests across a number of channels including traditional and social media. Also, we have begun notifying, via email, those guests whose emails we have and who shopped in our U.S. stores with a credit or debit card during the period of November 27 and December 15. We expect that all emails will be sent by the end of the weekend. It is very important for our guests to understand that receiving an email from us or a letter from their financial institution is absolutely not an indication that there has been, or will be, fraud on their card. We continue to experience significantly higher than normal volume to our call centers and REDcard website, causing delays. We are working around the clock to resolve this issue by continually adding capacity both to our call center and technical systems to meet all of our guests’ needs. For example, in the last 24 hours we have quadrupled the capacity of our online REDcard account management site. To date, we are hearing very few reports of actual fraud, but are closely monitoring the situation. We want to reassure guests that they will not be held financially responsible for any credit card or debit card fraud. A couple of specific questions that have been coming up that we want to be sure are clear: 1. At this time, there is no indication that there has been any impact to PIN numbers. What this means is their bank PIN debit card or Target debit card still has this additional layer of protection. It also means that someone cannot visit an ATM with a fraudulent card and withdraw cash. 2. We have no indication that the data that was inappropriately accessed included a guest’ date of birth or social security number. 3. The CVV data that may have been impacted was data in the magnetic strip and NOT the three or four-digit code visible on the card that guests use that would allow someone to make an online purchase. 4. In addition, we have already alerted all of the networks (Visa, MasterCard, Discover and American Express) and provided the affected card numbers of guests who may have been impacted. The networks, in turn, are providing the affected card numbers to the financial institutions of our guests via a “batch” or “CAMS alert.” This alert process allows card providers to take steps to enact additional fraud monitoring. For our REDcard holders, in addition to the robust fraud monitoring system we already had in place, we have added additional layers of security and fraud monitoring to their cards. As I said previously, if there are any more developments, I’ll keep you guys up to date as I learn more. Update 2 Target has set up a dedicated page for customers, the press, and investors related to the breach. Here you will have accesses Target documents in communications about the breach, have contact information to the company and credit reporting agencies, a FAQ, and easy access to Target’s in-store Red Card. Update 3 Target has confirmed that Encrypted PIN information was taken in the breach. However, they also say the numbers are secured with Triple-DES Encryption and content the numbers could only be decrypted by the third-party firm they contract for payment processing. They also say that they decryption key was never in their system and only existed at the contractor. 5 Responses John V. December 19, 2013 “I have contacted Target to clarify the effects on customers with Target’s in store RedCard.” What was their answer? How are RedCard members affected? Benjamin J. Roethig December 19, 2013 Haven’t heard back from them yet. I’ll update as soon as I hear something. joshwhatk December 19, 2013 “The retailer says it is working with law enforcement, forensic companies, and financial institutions on the beach.” I would love to be working on the beach right now! Very informative, thanks! Benjamin J. Roethig December 19, 2013 No doubt that’s where the C-level people are. Thanks for point that out. Tammy December 19, 2013 This was *NOT* on “Black Friday”. Why is there so much wrong/false info on this site????