If you’ve shopped at a Target store in the past few weeks, get ready to keep a close eye on your monthly payment card statements.
Target confirmed today that hackers gained access to data from more than 40 million credit and debit cards used in its stores between November 27 and December 15. While the issue has been resolved, Target recommends that all shoppers who visited its stores during that period to keep a close eye on their card activity.
It’s unclear if the breach also affected online shoppers, but at this point that doesn’t seem likely. Target has around 1,800 stores across the U.S., all of which were affected by the attack.
Target says it contacted authorities once it became aware of the breach, and it’s now working with law enforcement agencies and financial companies. The breach appears clearly coordinated to take advantage of Black Friday weekend and the influx of holiday shoppers in December. While Target isn’t offering up any additional details about the attack, the huge payload and surprisingly lengthy time frame of the attack suggests a possible inside job.
Security reporter Brian Krebs, who broke the story before Target’s official announcement, is hearing that the thieves snagged magnetic stripe data from the cards, which would allow them to recreate credit and debit cards.
“This is a breach that should’ve never happened,” Forrester vice president and principal analyst John Kindervag said in a statement today.”The fact that three-digit CVV security codes were compromised shows they were being stored. Storing CVV codes has long been banned by the card brands and the PCI SSC. Without knowing the exact breach vector it’s hard to say exactly what happened, but clearly by exposing CVV information target has demonstrated a blatant disregard for PCI DSS compliance regulations as well as card security best practices.”
Expect to hear plenty more about this story over the coming weeks. In a time when shoppers are already leaning towards online shopping for convenience and cheaper prices, weak security efforts could push consumers even farther away from retail stores. In 2007, T.J.Maxx owner TJX was also hit by a data breach affecting 45.6 million cards used in its stores.