Target today confirmed that it has been the victim of a major credit-card hacking, the second largest to have ever occurred.
Between Nov. 27, the day before Thanksgiving, to Dec. 15, some 40 million credit and debit card accounts may have been compromised by the breach, which involved the theft of information stored on the magnetic stripe on the backs of cards used at nearly all of Target’s stores around the country (online sales weren’t affected). Among the information obtained were customers’ names, credit/debit card numbers, expiration dates and the three-digit security code, known as the CVV.
Target spokesman Eric Hausman confirmed that there is “no indication that debit card PINs were impacted” which would have made the breach even worse.
Target Could Face Fines
In a statement posted on its website, Target’s CEO Greg Steinhafel confirmed the breach, stating: “Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue.”
While Target declined further comment pending Secret Service investigation, security experts said the breach most likely was some kind of inside job.
Mike Donovan, global focus group leader for Beazley Breach Response, said quick response such a breach is crucial to help get information out to those affected and to regulators, to bring in the right experts to address the breach (such as forensics experts who can stop cyber attacks) and to help preserve the public’s trust in the company.
“We see breaches across all sizes of companies,” said Donovan. “You see the stories about the big ones in the news, but breaches are affecting companies all across the board.”
Target may be one of the largest retailers hit with a data breach, there have been others.
TJX Cos., which operates TJ Maxx and Marshall’s, had a breach that began in July 2005 that exposed at least 45.7 million credit and debit cards to possible fraud. The breach wasn’t detected until December 2006. In June 2009 TJX agreed to pay $9.75 million in a settlement with multiple states related to the huge data theft but stressed at the time that it firmly believed it did not violate any consumer protection or data security laws.
Target could lose sales as a result, analysts noted, the retailer could face additional problems, too.
“The main victim is Target. They are going to pay for any fraud on the card,” said Avivah Litan, a Gartner analyst who specializes in cyber-security and fraud detection. “They will get fined by card issuers for non-compliance with payment card security standards. Their merchant fee will probably go up a few basis points.”