Details of 40 million customer debit and credit cards may have leaked in a data breach at Target – which began on November 27 and ended on December 15.
“Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013,” the retailer said in a statement. The data stolen is reportedly “track data” which can be used to clone cards, according to Brian Krebs.
“Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts. Among other actions, Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident.”
The story initially broke via security expert Brian Krebs’ site, Krebs on Security, leaked to him via officials at 10 credit card issuers.
It’s still unclear which stores were affected, and who the attackers are. Krebs quotes one unnamed anti-fraud analyst at a card issuer as saying, “We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized.”
According to ABC News, the U.S. secret service is currently investigating, but declined to provide further details. The report said that the attack hit the height of the shopping season, and described it as “one of the largest data breaches of all time”. ABC’s report said that unnamed security experts did not expect the incident to be resolved until “well into the new year.”
The data stolen was “track data”, according to Krebs’ sources. This, Krebs warns, is exactly what cybercriminals need to clone credit cards – but the damage caused by the breach may depend on whether the criminals also have access to PIN numbers.
“The type of data stolen — also known as “track data” — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs,” Krebs said.
ESET Senior Research Fellow David Harley warns that even if the criminals do not have access to this data, the security of Target customers will be impacted.
Harley says, “Even if your PIN or password is well chosen, your security is reduced – not necessarily completely compromised – if data such as track data are compromised by other means.”
“It’s not clear exactly how the data were stolen in this case, and therefore whether PIN data for debit cards were also stolen. Still, it’s always worth trying to make it harder for a crook to guess PINs: the PINs people actually tend to use are more stereotyped than you might think. See this blog for more details.
The store issued a statement via its website, saying, “Your trust is a top priority for Target, and we deeply regret the inconvenience this may cause. The privacy and protection of our guests’ information is a matter we take very seriously and we have worked swiftly to resolve the incident.”
“You should remain vigilant for incidents of fraud and identity theft by regularly reviewing your account statements and monitoring free credit reports. If you discover any suspicious or unusual activity on your accounts or suspect fraud, be sure to report it immediately to your financial institutions.”
As ESET security researcher Stephen Cobb points out, even though we are hearing that Target’s online shoppers are not affected, now would be a good time for anyone who has an account at target.com to change their password, just to be on the safe side.
Author Rob Waugh, We Live Security