Target has confirmed the compromise of the credit and debit card data of 40 million Target shoppers and says the problem has been identified and resolved. However, thieves are selling the card account information as fast as they can on underground sites, according to security blogger and expert Brian Krebs, who broke this story Dec. 18.
Little is known yet about how the data was compromised. "My best guess is [Target] got hit by hackers who got into their network, and were able to push malicious software out to the point of sale systems. We probably won't know for certain for weeks or months," Krebs says in an interview.
There are no signs yet of actual fraud committed on these cards. Minneapolis-based retailer Target reported that approximately 40 million credit and debit card accounts used between November 27 and December 15 of this year may have been compromised. All 1,800 physical stores were affected, but not the company's website. Target is working with a third-party forensics firm to conduct an investigation of the incident, it says.
Target won't want to talk about how it was hacked until it's confident it can't be breached that way again, Krebs notes. "When you're talking about 1,800 stores, that's going to take time," he says. The compromised data may have existed on a transaction aggregation server that handles transactions in large batches.
What is known is that the cybercriminals have obtained the basic account data stored on the magnetic stripes of the credit and debit cards information such as name, account number and card expiration data. And they're selling that data.
"The guys who stole them can't offload them fast enough, because 5-10% of them are about to expire," Krebs says. "There's a fire sale going on right now -- they lose value for every day they don't sell them." Now that the story has broken and issuers may begin cancelling the affected cards, the deadline pressure is on for the hackers.
Card issuers can go into these underground forums and start buying up some of the cards to learn more about the theft, Krebs says. The price for the freshest card account data runs about $44 apiece.
There's a strong possibility that card fraud will start to take place using this stolen data.
"If they're able to duplicate cards as a result of this, that means they'll have some kind of point of sale access," Krebs says. Some of the affected cards are debit cards, which means counterfeit cards could be used at ATMs as well as point of sale terminals, especially if PIN numbers were stolen as well.
Target has an innovative card called a Red card that can be used for debit or credit customers can tie their existing bank account to their Target card and use it as a debit card. But this breach is a wake-up call for all card issuers and retailers.
"Hackers that do this kind of stuff are really good at finding vulnerabilities in specific products," Krebs says. For instance, if the hackers found a vulnerability in Target's POS technology that lets them move through the system, there's a good chance other retailers using a similar setup could be hit the same way.
"I guarantee if you're a big box retailer, you're taking a real close look at this right now," Krebs says.
Banks that issue cards affected by a data breach sometimes have to re-issue compromised cards. But this is a tough call.
"A lot of issuers will take a wait-and-see approach," Krebs says. "They're probably getting inundated with calls from people who shop at Target who are freaking out about what to do. The last thing they want to do is cancel these people's cards around Christmas. I'm positive Target would much rather have seen this come out on December 26."