Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Target Hacked: Confirms 40 Million Payment Cards Affected in Massive Data Breach

Target Retail Store

Retail giant Target today confirmed rumors that it had fallen victim to a major data breach affecting millions of customers at its U.S. retail stores starting on “Black Friday”, the biggest shopping day of the year.

Target Retail Store

Retail giant Target today confirmed rumors that it had fallen victim to a major data breach affecting millions of customers at its U.S. retail stores starting on “Black Friday”, the biggest shopping day of the year.

Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013, the company said.

“Target today confirmed it is aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its U.S. stores,” the company said in an announcement Thursday. “Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue.”

Minneapolis-based Target Corporation operates 1,921 stores—1,797 in the United States.

“If guests shopped in US Target stores during this time period, we encourage them to be vigilant in monitoring their accounts,” a Target spokesperson told SecurityWeek.

Rumor of the massive data breach was originally reported Wednesday afternoon by security researcher and blogger, Brian Krebs, and quickly picked up by media outlets around the world.

According to the New York Times, the US Secret Service is also investigating the incident.

“Due to the size and scale of the Target breach, this looks like a planned attack that began well before Black Friday,” Matt Standart, research director at HBGary, told SecurityWeek. “To be successful, the adversary would have performed detailed reconnaissance and other activities in preparation of their primary mission objective. This would have required infrastructure compromise, entrenchment, command and control, and privileged access, all of which take time and effort to do.”

Advertisement. Scroll to continue reading.

“Black Friday was the date to execute their primary mission objective most likely due to two factors,” Standart said. “The first is the increase volume of transaction data (i.e., credit card information) that was available, and the second is the increase load on IT systems and security personnel due to the high volume of transactions (making for a distraction to give more operational security to the adversary).” 

Target said authorities and financial institutions were alerted immediately after the breach was discovered, and is putting all appropriate resources behind these efforts. The company said it has hired “a leading third-party forensics firm” to investigate the incident.

“The number of records combined with both personally identifying information (name) and financial information (credit / debit card number and security code) categorize this breach as one generally requiring consumer disclosure,” Ted Julian, Chief Marketing Officer at Co3 Systems, told SecurityWeek.

“Target is likely in the process of notifying the affected consumers, regulators, credit bureaus and so on,” Julian continued. “This is good as failure to comply with just the privacy breach disclosure requirements associated with this incident would risk fines of $8.5 million (Co3 estimate); not to mention, the cost of sending out those notifications, setting up credit monitoring, IT remediation costs, customer flight, etc.”

“While we’re early in the early stages of the process, Target’s response so far has hallmark’s of a best-of-breed effort,” Julian said. “The time from discovery to notification is short, their communication is clear and decisive.”

For consumers who may be affected, more information is available at Target’s website. For customers who suspect unauthorized activity on their payment cards should contact Target at: 866-852-8680, the company said.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider Horizon3.ai.

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights