Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Target Hacked: Confirms 40 Million Payment Cards Affected in Massive Data Breach

Target Retail Store

Retail giant Target today confirmed rumors that it had fallen victim to a major data breach affecting millions of customers at its U.S. retail stores starting on “Black Friday”, the biggest shopping day of the year.

Target Retail Store

Retail giant Target today confirmed rumors that it had fallen victim to a major data breach affecting millions of customers at its U.S. retail stores starting on “Black Friday”, the biggest shopping day of the year.

Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013, the company said.

“Target today confirmed it is aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its U.S. stores,” the company said in an announcement Thursday. “Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue.”

Minneapolis-based Target Corporation operates 1,921 stores—1,797 in the United States.

“If guests shopped in US Target stores during this time period, we encourage them to be vigilant in monitoring their accounts,” a Target spokesperson told SecurityWeek.

Rumor of the massive data breach was originally reported Wednesday afternoon by security researcher and blogger, Brian Krebs, and quickly picked up by media outlets around the world.

According to the New York Times, the US Secret Service is also investigating the incident.

“Due to the size and scale of the Target breach, this looks like a planned attack that began well before Black Friday,” Matt Standart, research director at HBGary, told SecurityWeek. “To be successful, the adversary would have performed detailed reconnaissance and other activities in preparation of their primary mission objective. This would have required infrastructure compromise, entrenchment, command and control, and privileged access, all of which take time and effort to do.”

Advertisement. Scroll to continue reading.

“Black Friday was the date to execute their primary mission objective most likely due to two factors,” Standart said. “The first is the increase volume of transaction data (i.e., credit card information) that was available, and the second is the increase load on IT systems and security personnel due to the high volume of transactions (making for a distraction to give more operational security to the adversary).” 

Target said authorities and financial institutions were alerted immediately after the breach was discovered, and is putting all appropriate resources behind these efforts. The company said it has hired “a leading third-party forensics firm” to investigate the incident.

“The number of records combined with both personally identifying information (name) and financial information (credit / debit card number and security code) categorize this breach as one generally requiring consumer disclosure,” Ted Julian, Chief Marketing Officer at Co3 Systems, told SecurityWeek.

“Target is likely in the process of notifying the affected consumers, regulators, credit bureaus and so on,” Julian continued. “This is good as failure to comply with just the privacy breach disclosure requirements associated with this incident would risk fines of $8.5 million (Co3 estimate); not to mention, the cost of sending out those notifications, setting up credit monitoring, IT remediation costs, customer flight, etc.”

“While we’re early in the early stages of the process, Target’s response so far has hallmark’s of a best-of-breed effort,” Julian said. “The time from discovery to notification is short, their communication is clear and decisive.”

For consumers who may be affected, more information is available at Target’s website. For customers who suspect unauthorized activity on their payment cards should contact Target at: 866-852-8680, the company said.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.