Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Target Hacked: Confirms 40 Million Payment Cards Affected in Massive Data Breach

Target Retail Store

Retail giant Target today confirmed rumors that it had fallen victim to a major data breach affecting millions of customers at its U.S. retail stores starting on “Black Friday”, the biggest shopping day of the year.

Target Retail Store

Retail giant Target today confirmed rumors that it had fallen victim to a major data breach affecting millions of customers at its U.S. retail stores starting on “Black Friday”, the biggest shopping day of the year.

Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013, the company said.

“Target today confirmed it is aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its U.S. stores,” the company said in an announcement Thursday. “Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue.”

Minneapolis-based Target Corporation operates 1,921 stores—1,797 in the United States.

“If guests shopped in US Target stores during this time period, we encourage them to be vigilant in monitoring their accounts,” a Target spokesperson told SecurityWeek.

Rumor of the massive data breach was originally reported Wednesday afternoon by security researcher and blogger, Brian Krebs, and quickly picked up by media outlets around the world.

According to the New York Times, the US Secret Service is also investigating the incident.

Advertisement. Scroll to continue reading.

“Due to the size and scale of the Target breach, this looks like a planned attack that began well before Black Friday,” Matt Standart, research director at HBGary, told SecurityWeek. “To be successful, the adversary would have performed detailed reconnaissance and other activities in preparation of their primary mission objective. This would have required infrastructure compromise, entrenchment, command and control, and privileged access, all of which take time and effort to do.”

“Black Friday was the date to execute their primary mission objective most likely due to two factors,” Standart said. “The first is the increase volume of transaction data (i.e., credit card information) that was available, and the second is the increase load on IT systems and security personnel due to the high volume of transactions (making for a distraction to give more operational security to the adversary).” 

Target said authorities and financial institutions were alerted immediately after the breach was discovered, and is putting all appropriate resources behind these efforts. The company said it has hired “a leading third-party forensics firm” to investigate the incident.

“The number of records combined with both personally identifying information (name) and financial information (credit / debit card number and security code) categorize this breach as one generally requiring consumer disclosure,” Ted Julian, Chief Marketing Officer at Co3 Systems, told SecurityWeek.

“Target is likely in the process of notifying the affected consumers, regulators, credit bureaus and so on,” Julian continued. “This is good as failure to comply with just the privacy breach disclosure requirements associated with this incident would risk fines of $8.5 million (Co3 estimate); not to mention, the cost of sending out those notifications, setting up credit monitoring, IT remediation costs, customer flight, etc.”

“While we’re early in the early stages of the process, Target’s response so far has hallmark’s of a best-of-breed effort,” Julian said. “The time from discovery to notification is short, their communication is clear and decisive.”

For consumers who may be affected, more information is available at Target’s website. For customers who suspect unauthorized activity on their payment cards should contact Target at: 866-852-8680, the company said.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...