VentureBeat CEO Matt Marshall had to cancel his credit card this week.
Marshall was one of millions to shop at Target between Nov. 27 and Dec. 15, when one or more nefarious intruders bypassed the retail chain’s security measures and stole data from at least 40 million credit and debit cards. Apparently, the breach affected everyone who used a card to purchase something at one of Target’s 1,800 U.S. stores in that time period.
Marshall started seeing suspicious charges pop up on his card statements — ironically, from a Calif.-based Target shop. But he’s not the only one: Millions of cards used at Target have appeared on underground “card shops” in recent weeks, according to KrebsOnSecurity, the blog that originally reported the Target breach story.
They’re selling in batches of up to one million cards, with each card going for anywhere from $20 to $100. Crooks can pay for them using virtual currencies like Bitcoin and Litecoin, as well as through wire transfers via Western Union and MoneyGram.
The thieves not only gained access to credit card numbers, but also three-digit CVV security codes, which merchants aren’t supposed to store — demonstrating a blatant disregard for data security best practices (not to mention compliance requirements) on Target’s part. Scam artists can use that information to make purchases at retail stores. If the intruders also gained access to the PINs for those cards, crooks could theoretically use cloned cards to withdraw cash from a victim’s bank account directly from ATMs.
Reached for comment, Bank of America and JPMorganChase representatives provided similar statements to VentureBeat: They proactively monitor customers’ accounts for fraud and will reach out if they see suspicious activity, and customers aren’t liable for any fraudulent use of their cards. Bank of America specifically promised to reissue the cards if necessary.
The banks aren’t thrilled at the prospect of having to reissue thousands or potentially millions of cards. Not only does the process cost around $3 to $5 per card, but it also means lost revenue during the hottest shopping season of the year.
While the precise scope of the Target intrusion is still a bit hazy, it’s undoubtedly one of the largest retail security breaches to date.
“I do not envy anyone that has to respond to a breach like this,” said David Kidd, director of quality assurance and compliance at Peak 10, a provider of cloud data solutions. “Going forward this will be a cautionary tale and, I hope, a learning experience for information security professionals.
“The Payment Card Industry Data Security Standard was intended to protect businesses, consumers, and card issuers from exactly this type of information security breach — and compliance is a critical component of prevention, whether it is internally managed or through a data solutions provider.”
As a result of the breach, Target could face fines from major credit card brands as well as a loss in consumer trust.
In 2007, retailer TJX’s systems were also compromised by hackers. The crooks tapped into the store’s wireless networks to access and steal data from its Massachusetts headquarters, taking off with information from more than 45 million credit and debit cards. TJX faced fines of more than $40 million as a result of the incident.
Updated at 1:13 PM PT with a comment from Peak 10’s David Kidd