Sign in with
Sign up | Sign in

UPDATED: Target Customers Targeted in Massive Data Breach

By - Source: Tom's Guide US | B 13 comments
Tags :

Holiday shoppers beware: Hackers have broken into the databases of retail superstore Target and made off with approximately 40 million credit and debit card accounts used in Target's stores between Nov. 27 and Dec. 15, 2013.

Anyone who has used a credit or debit card at a physical Target location within that time should assume that their accounts have been compromised.

MORE: 13 Security and Privacy Tips for the Truly Paranoid

The breach was first reported by security expert and blogger Brian Krebs on Dec. 18, and later confirmed by Target on Dec. 19. One of Krebs' sources said that: "When all is said and done, this one will put its mark up there with some of the largest retail breaches to date."

Target says the stolen account information consists of the customer's name and credit or debit card number, as well as the card's expiration date and CVV (three-digit security code). 

According to Krebs' sources, the stolen account information comes from the so-called "track data" stored on a credit or debit card's magnetic stripe. The CVV stored on a card's magnetic stripe is different than the one printed on the card itself, however. So in this case the thieves wouldn't be able to use a stolen account to make online purchases (which require the printed CVV) but they could use the stolen data to forge new credit cards by encoding the track data on a new magnetic stripe, Krebs speculates.

It's not clear if the breach includes PIN numbers associated with debit cards used at Target, but if so, the thieves could use those as well to make unauthorized cash withdrawals. In October, Adobe admitted that hackers had stolen 150 million account credentials, compromising the emails and passwords of more than 38 million individual users.

In May, open-source content management system Drupal was hacked, and almost 1 million users' email addresses, passwords and other personal information was stolen.

If you believe you have been affected by Target's data breach, contact your credit card company immediately and check for any unfamiliar expenses. You can also obtain a credit report from a nationwide credit reporting agency such as Equifax, Experian or TransUnion, and ask for a "fraud alert" to be applied to your account. This requires creditors to take extra steps to verify your account, making it more difficult for anyone, including you, to obtain credit.

You can also contact Target directly at 866-852-8680 or see Target's official statement for state-by-state recommendations.

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Discuss
Display all 13 comments.
This thread is closed for comments
  • -7 Hide
    Adroid , December 18, 2013 4:22 PM
    No pun intended. I'm a poet and I noet.
  • -4 Hide
    velocityg4 , December 18, 2013 8:21 PM
    I wonder if any of these companies run Z/OS. From I've read it's never had a virus or been hacked. Maybe it's time to move from Windows Server and Linux to Big Blue.
  • -2 Hide
    rwinches , December 18, 2013 8:42 PM
    Wow! I'm glad I used cash during that time period.
  • -3 Hide
    JOSHSKORN , December 18, 2013 11:29 PM
    Wow I'm glad I only shopped on Amazon.
  • -1 Hide
    house70 , December 19, 2013 5:12 AM
    Inside job.
  • -6 Hide
    jimb3sixty , December 19, 2013 8:52 AM
    This is a great example of how hackers are getting access to everyones account information as well as what they call keylogging. There is a great software available to install on your home and work computers to keep theives from accessing your information. Please check it out at this link and lets save everyone the headache of having to deal with this kind of situation.
    Here is the link, please check it out.
    http://cyberwealth7.com/JandL

    Thanks,
    Jim
  • -3 Hide
    Ninjawithagun , December 19, 2013 9:36 AM
    Time to sue Target with a class action lawsuit for providing inadequate cyber security measures on their customer database. This is an easy win for any law firm with that wants to make some easy money.
  • -6 Hide
    ovly500 , December 19, 2013 11:14 AM
    Edward`s report is really great.. Google is paying 75$/hour! Just work for few hours & have more time with friends and family. Last Wednesday I got a top of the range McLaren F1 from bringing in $5012 this month. I never thought I'd be able to do it but my best friend earns over 10k a month doing this and she convinced me to try this Buzz95.ℂom
  • -2 Hide
    Darkk , December 19, 2013 6:26 PM
    Switching one operating system to another isn't going to solve the problem. It's physical access to the database either by network (inside or outside) or somebody at the compromised terminal / PC.

    All these stores are connected via VPN to the data center and from there it gets processed. Somewhere along the lines one of these stores's network got compromised and accessed this data.

    This happened before with Home Depot's WiFi network. Lucky the damage is only limited to that one store.

    This could be very well be an inside job.

    I too am affected by this breach and it's really ticking me off. So hopefully my CC numbers will never get used. Going to order new card anyway.
  • -3 Hide
    Grandmastersexsay , December 20, 2013 8:02 AM
    It doesn't sound like this was an issue of Target's records being hacked, because Target is stating the only people affected are the ones who made purchases over a narrow time frame. If it was a matter of their database being hacked, the criminals would have records going back much furthur. Like most stores, Target keeps card information in case of returns.

    No, this sounds like card data was intercepted from the card swiping machines. Can these swipers have their firmware automatically updated? Do these swipers contact an outside party for authorization? What kind of path does the authorization take? I doubt it is different than most stores. It would be nice to hear from someone in the industry take a guess.


    "So in this case the thieves wouldn't be able to use a stolen account to make online purchases (which require the printed CVV) but they could use the stolen data to forge new credit cards by encoding the track data on a new magnetic stripe, Krebs speculates."

    That makes no sense. If they could make new cards from this data, they would have to match the existing printed data, which means they could make online purchases.
  • 0 Hide
    rawoysters , December 20, 2013 12:57 PM
    I am assuming that all this data was not encrypted? How do companies of this size get away with this kind of complacency?
  • -1 Hide
    wirefire99 , December 21, 2013 4:47 AM
    they dont actually have to match the printed data on the card. when toy process the debit / credit card at a retailer and swipe the card the numbers requested at most retailers by the computer are the last several digits (4 usually) of the card number itself, not the cvv. This was done a while ago to force the merchant cashier to physically look at the card.

    If i have a mastercard issyed from bank X with a number 5999999999999999 exp date of 12/20 and a printed cvv of 888

    a capture would give them everything but the physical design of the plastic (design / imaging) and the printed rear cvv. so with a simple mag stripe programmer and card maker, they can forge a random design on the card. imprint the physical numbers and original card holder name. Copy the magnetic data from track 1 and 2 to the card. and just make up a 3 digit rear cvv to make it appear valid (1/1000 they should guess correctly anyway) the new fraudulent card looks real, acts real and has a signature that matches the name on the card. At any retailer it would draw little to zero attention on a cashier's best day.

    The credit card system itself allows for this kind of fraud. but upgrading the system to fix the problems would cost billions. easiest thing to do would be to keep the 16 digit system in place and make the response auth code checked against an rsa (or other) key generated by the card. it would require significantly more advanced physical cards, but fraud would be near impossible of credit card contained active changing data.
  • -1 Hide
    helldog3105 , December 21, 2013 8:39 AM
    If this was data that was intercepted via a swipe through the credit card systems, how did they get the CVV codes? The article explicitly states that they got those codes as well. Under standard circumstances, those numbers should not be saved when swiping your card at a retailer, right? So how did they capture that information as well? It seems to me that however the data was stolen, heads in the IT department will roll for this. If their database was hacked, then the security was too weak. If it was some sort of interception of data as it was sent to the database, then their connections aren't encrpyted well enough, and heads in the IT department will roll. The sad thing is, it is highly possible that someone in the IT department pointed out the security flaw and was ignored, because it would be costly to correct. Isn't that what happened at Sony? Any way you look at it, this is a detriment to people in general. For once I dodged the bullet because I didn't shop there between the affected dates. This is one time, when I really think a Class Action Lawsuit is required. Definitely before this large retail chains get the idea that by shopping at their store binds you to an EULA that can only be found on their website the prohibits Class Action Lawsuits.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter