Security Experts:

Connect with us

Hi, what are you looking for?



Target Hacked: Confirms 40 Million Payment Cards Affected in Massive Data Breach

Target Retail Store

Retail giant Target today confirmed rumors that it had fallen victim to a major data breach affecting millions of customers at its U.S. retail stores starting on “Black Friday”, the biggest shopping day of the year.

Target Retail Store

Retail giant Target today confirmed rumors that it had fallen victim to a major data breach affecting millions of customers at its U.S. retail stores starting on “Black Friday”, the biggest shopping day of the year.

Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013, the company said.

“Target today confirmed it is aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its U.S. stores,” the company said in an announcement Thursday. “Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue.”

Minneapolis-based Target Corporation operates 1,921 stores—1,797 in the United States.

“If guests shopped in US Target stores during this time period, we encourage them to be vigilant in monitoring their accounts,” a Target spokesperson told SecurityWeek.

Rumor of the massive data breach was originally reported Wednesday afternoon by security researcher and blogger, Brian Krebs, and quickly picked up by media outlets around the world.

According to the New York Times, the US Secret Service is also investigating the incident.

“Due to the size and scale of the Target breach, this looks like a planned attack that began well before Black Friday,” Matt Standart, research director at HBGary, told SecurityWeek. “To be successful, the adversary would have performed detailed reconnaissance and other activities in preparation of their primary mission objective. This would have required infrastructure compromise, entrenchment, command and control, and privileged access, all of which take time and effort to do.”

“Black Friday was the date to execute their primary mission objective most likely due to two factors,” Standart said. “The first is the increase volume of transaction data (i.e., credit card information) that was available, and the second is the increase load on IT systems and security personnel due to the high volume of transactions (making for a distraction to give more operational security to the adversary).” 

Target said authorities and financial institutions were alerted immediately after the breach was discovered, and is putting all appropriate resources behind these efforts. The company said it has hired “a leading third-party forensics firm” to investigate the incident.

“The number of records combined with both personally identifying information (name) and financial information (credit / debit card number and security code) categorize this breach as one generally requiring consumer disclosure,” Ted Julian, Chief Marketing Officer at Co3 Systems, told SecurityWeek.

“Target is likely in the process of notifying the affected consumers, regulators, credit bureaus and so on,” Julian continued. “This is good as failure to comply with just the privacy breach disclosure requirements associated with this incident would risk fines of $8.5 million (Co3 estimate); not to mention, the cost of sending out those notifications, setting up credit monitoring, IT remediation costs, customer flight, etc.”

“While we’re early in the early stages of the process, Target’s response so far has hallmark’s of a best-of-breed effort,” Julian said. “The time from discovery to notification is short, their communication is clear and decisive.”

For consumers who may be affected, more information is available at Target’s website. For customers who suspect unauthorized activity on their payment cards should contact Target at: 866-852-8680, the company said.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.