Target: 40M card accounts may be breached
By David Conti
Published: Thursday, Dec. 19, 2013, 10:15 a.m.
Here's a list Target shoppers might want to check twice this Christmas: their credit card statements.
The Minneapolis-based retailer with 17 outlets in Western Pennsylvania confirmed on Thursday that a data breach might affect 40 million credit and debit card accounts belonging to people who shopped at stores nationwide between Black Friday and Dec. 15.
The unexplained access to customer names, card numbers, expiration dates and three-digit security codes involved Target Redcards and cards issued by banks. It does not appear to involve online purchases. It's unclear if any customers reported unauthorized use of card numbers.
Target did not explain what happened but said it fixed the issue and alerted banks and authorities. The Secret Service is investigating.
“Target's first priority is preserving the trust of our guests and we have moved swiftly to address this issue so guests can shop with confidence,” Chairman, President and CEO Gregg Steinhafel said in a statement.
The company said customers should closely examine their statements.
“I'm already checking. You'd think they would figure this out by now,” said Beth Hollerich, 51, of Chartiers City, who spent $49.99 on a Lego set at the Target in Robinson on Black Friday.
Target told some shoppers to call a toll-free number to find out if their information was exposed.
“I was on hold for so long, and then it just cut off, so I can't get through,” said frequent shopper Tracey Shipley of Cranberry. She said staff at the Cranberry store gave her the phone number when she asked about her Redcard.
“I just want to get it settled,” she said. “I love Target. I don't want anything bad to come from this.”
Experts sounded a note of calm.
“The system worked. Somehow it was detected,” said Martin Lindner, a principal engineer in the CERT division at the Software Engineering Institute at Carnegie Mellon University.
Steven M. Bellovin, a cyber security expert and computer scientist at Columbia University, called the event a “nuisance” for customers who can now watch their accounts and contest fraudulent charges. But it's another wake-up call for the industry.
“It was clearly a large-scale, organized effort, carefully timed for this busiest shopping season. They were trying to get as much as they could and run,” Bellovin said. “That gives another hint to businesses. They need to be continually looking.”
Experts and customers wondered if someone inside Target helped break through what is likely a multimillion-dollar security system.
“It can happen no matter how cautious you are, which is why I always watch my account,” shopper Bonnie DeLuca, 66, of Allison Park said after visiting the Target at Mt. Nebo Pointe in Ohio Township.
Lindner and Bellovin said they could not speculate on what happened at Target, given the limited information the chain released. Both noted that modern-day retailing and banking open numerous doors for theft. Several computer systems handle each step from collecting card information when a customer swipes it in a reader to the store's getting final payment from the bank that issued the card. More systems control communication among the computers.
“It's a complex business process where everyone has to do the right thing. If there's one mistake in the armor, the bad guys will take advantage of that,” said Lindner, who called the battle between information security professionals and criminals an “arms race.”
Bellovin said the thieves likely got the information from a system connected to registers because Target said the breach involved the three-digit security codes. Those codes, which often are on the backs of cards, are not among the information on magnetic strips, he said. And card companies tell retailers they should not store those codes.
“It wasn't just a skimming attack,” he said. “You're looking at a large operation to have the skills to get the numbers and then to do something with them.”
TJX Cos., which runs stores such as T.J. Maxx and Marshall's, had a breach that began in July 2005 that exposed at least 45.7 million credit and debit cards to possible fraud. For at least 17 months, one or more intruders had free rein inside TJX's computers and installed code to unearth, collect and transmit account data.
A larger hack hit Sony in 2011. It had to rebuild trust among PlayStation Network gamers because hackers compromised personal information, including credit card data on more than 100 million user accounts.
Target reported $72 billion in sales in 2012. It has 1,797 U.S. stores and 124 in Canada.
Shoppers said the breach would not scare them away.
“It's scary to hear, but I'll be back,” said Melissa Thomas, 31, of Shaler, who stopped at Target in Ohio Township for baby supplies. “I'm here once a week.”
The Associated Press contributed to this report. David Conti is a staff writer for Trib Total Media. He can be reached at 412-388-5802 or email@example.com.
Show commenting policy
TribLive commenting policy
You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.
We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.
While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.
We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers.
We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.
We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.
We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.
We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.
- Western Pennsylvania engineer aboard missing Malaysian Airlines flight, employer says
- Analysis: Kesler still on Pens’ radar as Shero aims to bring back ‘Big 3’
- Pirates notebook: Volquez, Morton struggle
- Original tea partyers returning to GOP fold
- 2 dozen injured as California school stage falls
- College basketball notebook: WVU’s Staten, Iowa State’s Kane named 1st-team all-Big 12
- ‘Un-American’? That’s Harry Reid, the Senate’s lowly smear artist
- 273 cited in Ohio in year for texting, driving
- Penn State falls at Minnesota, rematch set for Thursday
- Pirates’ big risk with pitch-heavy draft focus might soon pay off
- Experts: Anti-vaccine view a peril