WASHINGTON – Hackers gained access to as many as 40 million credit and debit cards used by customers of Target during the height of the holiday shopping season, the company reported Thursday, in one of the biggest data breaches in history.
Company officials offered few details on the intrusion, which reportedly began the day before Thanksgiving (Nov. 28) and lasted until Sunday. Security experts said that the kind of information stolen — including names, card numbers, expiration dates and three-digit security codes — could allow criminals to make fraudulent purchases almost anywhere in the world.
The breach highlighted vulnerabilities in the massive, interconnected shopping systems used for billions of dollars of retail transactions every day. Customers at Target’s nearly 1,800 stores in the United States were potentially affected, though those who shopped online were not, the company said.
Consumers are not generally held responsible for purchases they do not authorize, but the scramble to cancel compromised cards and issue replacements threatens to cause disruptions as shoppers move into the final days of the most lucrative season on the retail calendar.
The Secret Service, which investigates financial fraud, is looking into the intrusion. Major breaches in the past have drawn scrutiny and in some cases fines from federal and state officials when they determined that companies did not adequately protect private customer information.
“Whatever money Target thought they were going to get during the holiday season just got flushed down the data-breach toilet,” said John Kindervag, an analyst and data security expert at Forrester, a research firm. He estimated that Target will have to spend at least $100 million to cover legal costs and to fix whatever went wrong.
Kindervag said the company will owe money to card brands, like Visa and American Express, that have to reimburse customers for fraudulent transactions. Target, based in Minneapolis and one of the nation’s largest retailers, also faces the risk of enduring damage to its reputation, according to analysts and consumer advocates. Company stock was down more than 2 percent on a generally flat day on Wall Street.
“You want people to trust in your products,” said Ed Mierzwinski, consumer program director for U.S. PIRG, a Boston-based consumer group. “Target’s obviously got a big problem, and they’ve got to do something about it.”
Journalist Brian Krebs, who runs the Krebs on Security blog, first reported the breach Wednesday afternoon. Target confirmed it Thursday morning with a short statement outlining the timing of the intrusion and the nature of the data lost.
“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” said Gregg Steinhafel, Target’s chief executive officer, in this statement. “We take this matter very seriously and are working with law enforcement to bring those responsible to justice.”
Target said it notified law enforcement authorities and financial institutions after discovering the breach. The company said it also has hired an outside forensics firm to investigate the incident and strengthen its systems.
The company declined to comment on how the intrusion happened, when it learned that it had occurred and what kind of encryption, if any, is used to protect consumer data. “In terms of overall practices, we continually and continue to make sure that our information is protected,” said Target spokeswoman Molly Snyder.
Outside security experts said the information that Target reported stolen is contained on the magnetic strips of debit and credit cards and could be used to create fraudulent new cards.
The payment systems used in modern retailing are sprawling, with countless card readers in individual stores gathering data, transmitting them on internal corporate networks and communicating with banks before approving purchases. Hackers could potentially find weaknesses at any point in the system.
The massive extent of the breach suggest that hackers reached deeply into Target’s corporate networks rather than accessing systems at individual stores. If criminals also obtained pin codes for debit cards, they could be used to withdraw cash directly from user bank accounts, experts said.
Target said there is no indication that PIN numbers were taken in the data breach.
“It’s an arms race. And the crooks are almost always ahead of the game,” said Beth Givens, founder of the nonprofit consumer advocacy group Privacy Rights Clearinghouse, which tracks data breaches. “The fraud investigators and law enforcement are almost perpetually in catch-up mode.”
The Target breach is the third-largest ever reported, Givens said. The largest on record was at Heartland Payment Systems, which revealed in 2009 that roughly 130 million credit and debit cards had been exposed. The second-biggest attack struck TJX Companies, the parent company of TJMaxx and Marshall’s, which said in 2007 that about 45 million credit cards and debit cards had been compromised. The retail giant later negotiated a $40.9 million settlement with Visa and banks that issued its cards. The TJX data reportedly was stolen by criminals who gained access to payment systems through the wireless networks of individual stores.
“The reality is there could be 16 different ways this could happen,” said Krebs, who predicted more data breaches because many retail stores run similar payment systems. “These guys are real smart, and they’ve found a vulnerability.”
Avivah Litan, an analyst at Forrester, said that the Target case is unusual because of its scale and because the company had invested heavily in security, aware that its size made it attractive to criminals. Still, she noted that low-tech methods could be used by a renegade employee within the company with access to the right systems.
“It may not be sophisticated,” Litan said. “It could be they just didn’t have the basic controls.”
The number of serious data breaches appears to be rising. This month, JPMorgan Chase disclosed that 465,000 of its card users’ data had been stolen after an attack on the website for its prepaid card.
The timing of the Target intrusion raised the stakes for customers, the company and the banks that issued the credit and debit cards — and now must increase monitoring for fraudulent transactions.
“This is happening right in the throes of the most critical shopping season of the year,” said Carol Spieckerman, president of the retail consulting firm newmarketbuilders. “There’s a very real possibility that people will steer clear of Target in light of this.”
More troubling for Target, Spieckerman said, is that the company’s online business already had been attempting to make up ground against online competitors. Even though the data breach appears to have happened in traditional stores, the news could potentially slow sales on the company’s websites if customers are made uneasy, she said.
“Unfortunately it’ll affect the perception of safety, the trust that customers have in a digital space, as well,” said Spieckerman. “They’ve played an impressive game of catch up, but they certainly didn’t need this.”