Retail giant Target today confirmed rumors that it had fallen victim to a major data breach affecting millions of customers at its U.S. retail stores starting on “Black Friday”, the biggest shopping day of the year.
Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013, the company said.
“Target today confirmed it is aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its U.S. stores,” the company said in an announcement Thursday. “Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue.”
Minneapolis-based Target Corporation operates 1,921 stores—1,797 in the United States.
“If guests shopped in US Target stores during this time period, we encourage them to be vigilant in monitoring their accounts,” a Target spokesperson told SecurityWeek.
Rumor of the massive data breach was originally reported Wednesday afternoon by security researcher and blogger, Brian Krebs, and quickly picked up by media outlets around the world.
According to the New York Times, the US Secret Service is also investigating the incident.
“Due to the size and scale of the Target breach, this looks like a planned attack that began well before Black Friday,” Matt Standart, research director at HBGary, told SecurityWeek. “To be successful, the adversary would have performed detailed reconnaissance and other activities in preparation of their primary mission objective. This would have required infrastructure compromise, entrenchment, command and control, and privileged access, all of which take time and effort to do.”
“Black Friday was the date to execute their primary mission objective most likely due to two factors,” Standart said. “The first is the increase volume of transaction data (i.e., credit card information) that was available, and the second is the increase load on IT systems and security personnel due to the high volume of transactions (making for a distraction to give more operational security to the adversary).”
Target said authorities and financial institutions were alerted immediately after the breach was discovered, and is putting all appropriate resources behind these efforts. The company said it has hired “a leading third-party forensics firm” to investigate the incident.
“The number of records combined with both personally identifying information (name) and financial information (credit / debit card number and security code) categorize this breach as one generally requiring consumer disclosure,” Ted Julian, Chief Marketing Officer at Co3 Systems, told SecurityWeek.
“Target is likely in the process of notifying the affected consumers, regulators, credit bureaus and so on,” Julian continued. “This is good as failure to comply with just the privacy breach disclosure requirements associated with this incident would risk fines of $8.5 million (Co3 estimate); not to mention, the cost of sending out those notifications, setting up credit monitoring, IT remediation costs, customer flight, etc.”
“While we’re early in the early stages of the process, Target’s response so far has hallmark’s of a best-of-breed effort,” Julian said. “The time from discovery to notification is short, their communication is clear and decisive.”
For consumers who may be affected, more information is available at Target’s website. For customers who suspect unauthorized activity on their payment cards should contact Target at: 866-852-8680, the company said.