| News

Larger text Larger text Smaller text Smaller text | Order Photo Reprints

Target: 40M card accounts may be breached

Getty Images
A customer signs a credit card statement next to a scanner in a Target store on December 19, 2013 in Miami. Target announced that about 40 million credit and debit card accounts of customers who made purchases by swiping their cards at terminals in its U.S. stores between November 27 and December 15 may have been stolen.

About David Conti

Shopped at Target lately?

Anyone who used a Redcard or any credit or debit card at a Target store in the United States between Nov. 27 and Dec. 15 should consider the following steps:

• Check your statements carefully. View updated statements online if possible.

• Look for any transactions you didn't authorize, including $1 charges or holds. Thieves might try a small transaction first as a test.

• If you used a Target Redcard, call the company at 866-852-8680.

• If you find an unusual transaction on a Visa, MasterCard or other type of card, call the issuing bank immediately. Also call your local law enforcement agency.

• File a fraud report with all three credit reporting agencies. Information on the agencies and how to get a free credit report is available at or 877-322-8228.

By David Conti

Published: Thursday, Dec. 19, 2013, 10:15 a.m.

Here's a list Target shoppers might want to check twice this Christmas: their credit card statements.

The Minneapolis-based retailer with 17 outlets in Western Pennsylvania confirmed on Thursday that a data breach might affect 40 million credit and debit card accounts belonging to people who shopped at stores nationwide between Black Friday and Dec. 15.

The unexplained access to customer names, card numbers, expiration dates and three-digit security codes involved Target Redcards and cards issued by banks. It does not appear to involve online purchases. It's unclear if any customers reported unauthorized use of card numbers.

Target did not explain what happened but said it fixed the issue and alerted banks and authorities. The Secret Service is investigating.

“Target's first priority is preserving the trust of our guests and we have moved swiftly to address this issue so guests can shop with confidence,” Chairman, President and CEO Gregg Steinhafel said in a statement.

The company said customers should closely examine their statements.

“I'm already checking. You'd think they would figure this out by now,” said Beth Hollerich, 51, of Chartiers City, who spent $49.99 on a Lego set at the Target in Robinson on Black Friday.

Target told some shoppers to call a toll-free number to find out if their information was exposed.

“I was on hold for so long, and then it just cut off, so I can't get through,” said frequent shopper Tracey Shipley of Cranberry. She said staff at the Cranberry store gave her the phone number when she asked about her Redcard.

“I just want to get it settled,” she said. “I love Target. I don't want anything bad to come from this.”

Experts sounded a note of calm.

“The system worked. Somehow it was detected,” said Martin Lindner, a principal engineer in the CERT division at the Software Engineering Institute at Carnegie Mellon University.

Steven M. Bellovin, a cyber security expert and computer scientist at Columbia University, called the event a “nuisance” for customers who can now watch their accounts and contest fraudulent charges. But it's another wake-up call for the industry.

“It was clearly a large-scale, organized effort, carefully timed for this busiest shopping season. They were trying to get as much as they could and run,” Bellovin said. “That gives another hint to businesses. They need to be continually looking.”

Experts and customers wondered if someone inside Target helped break through what is likely a multimillion-dollar security system.

“It can happen no matter how cautious you are, which is why I always watch my account,” shopper Bonnie DeLuca, 66, of Allison Park said after visiting the Target at Mt. Nebo Pointe in Ohio Township.

Lindner and Bellovin said they could not speculate on what happened at Target, given the limited information the chain released. Both noted that modern-day retailing and banking open numerous doors for theft. Several computer systems handle each step from collecting card information when a customer swipes it in a reader to the store's getting final payment from the bank that issued the card. More systems control communication among the computers.

“It's a complex business process where everyone has to do the right thing. If there's one mistake in the armor, the bad guys will take advantage of that,” said Lindner, who called the battle between information security professionals and criminals an “arms race.”

Bellovin said the thieves likely got the information from a system connected to registers because Target said the breach involved the three-digit security codes. Those codes, which often are on the backs of cards, are not among the information on magnetic strips, he said. And card companies tell retailers they should not store those codes.

“It wasn't just a skimming attack,” he said. “You're looking at a large operation to have the skills to get the numbers and then to do something with them.”

TJX Cos., which runs stores such as T.J. Maxx and Marshall's, had a breach that began in July 2005 that exposed at least 45.7 million credit and debit cards to possible fraud. For at least 17 months, one or more intruders had free rein inside TJX's computers and installed code to unearth, collect and transmit account data.

A larger hack hit Sony in 2011. It had to rebuild trust among PlayStation Network gamers because hackers compromised personal information, including credit card data on more than 100 million user accounts.

Target reported $72 billion in sales in 2012. It has 1,797 U.S. stores and 124 in Canada.

Shoppers said the breach would not scare them away.

“It's scary to hear, but I'll be back,” said Melissa Thomas, 31, of Shaler, who stopped at Target in Ohio Township for baby supplies. “I'm here once a week.”

The Associated Press contributed to this report. David Conti is a staff writer for Trib Total Media. He can be reached at 412-388-5802 or




Show commenting policy

Most-Read Stories

  1. Kovacevic: Bylsma’s moves — yes, moves — pay off
  2. At least three people dead in Armstrong County crash
  3. Penguins rally to escape with a victory in Game 1 against Columbus
  4. Physical Columbus team is a hit in playoff opener against Penguins
  5. Former Pitt captain Cavanaugh blazes trail as entrepreneur
  6. Veteran North Huntingdon police officer fired
  7. Pirates notebook: Walker’s razor a right-handed swing solution
  8. Retired postal worker picks $1M winner
  9. Play of the game: Sutter’s goal completes rally
  10. Police see no sign Franklin Regional stabbing suspect was bullied
  11. Mogie’s in Lower Burrell subject of hearing by Pennsylvania Liquor Control Board for noise
Subscribe today! Click here for our subscription offers.