Analyst says suspects may have been identified; Target’s general counsel confers with states.
The U.S. Department of Justice has stepped into the investigation of the huge data security breach plaguing Target Corp. and its shoppers, the company said Monday.
The nation’s No. 2 retailer disclosed the Justice Department’s involvement in a brief statement, also noting that the company’s top lawyer was participating in a conference call Monday with state attorneys general to discuss the breach and its impact.
Target didn’t elaborate on the focus of the Justice Department’s investigation, and a spokesman for the federal agency declined to comment. Al Pascual, security risk and fraud analyst at Javelin Strategy & Research, said the Justice Department may have an interest in the case because a suspect or suspects have been identified.
“I can’t see another reason that they would be involved at this point,” Pascual said. “It’s too early to say it’s criminal negligence on the part of the company.”
Target confirmed Monday that the data breach involved malicious software that somehow got on the point-of-sale card-swiping devices in the checkout aisles of Target’s U.S. stores. The cyberattack exposed debit and credit card information of 40 million customers who bought merchandise in U.S. stores from Nov. 27 to Dec 15.
Since the breach was revealed last week, consumers have been scrambling for information from Target, jamming the company’s phones.
“We have communicated to 17 million guests via e-mail and reminded them that unless they have seen fraudulent activity on their account, there is no urgent need to call,” Target spokeswoman Molly Synder said Monday in the statement.
The data breach is among the largest recorded, and it remains under investigation by the U.S. Secret Service and an outside forensics company working with Target. The Minneapolis-based chain has emphasized that it was the victim of a sophisticated crime and sought to bolster the public’s confidence by extending a 10 percent discount to shoppers last weekend.
To date, little card fraud connected to the Target theft has been reported. It probably will be many months before it becomes clear how the data may have been misused.
Nearly any type of credit and debit card used for purchases at the store during the 19-day period was affected, including Target’s own Redcard debit and credit cards. About 20 percent of Target’s total sales are made on Redcards.
The theft involved the CVV security codes embedded in the magnetic stripes on the cards and not the three-digit CVV codes on the back of the cards, as the company initially reported. Target has repeatedly said the security breach did not compromise debit card personal identification numbers (PINs). Still, some banks have decided proactively to issue new debit cards and PINs to affected customers.
Over the weekend JPMorgan Chase & Co., one of the country’s largest card issuers, imposed daily limits on ATM debit withdrawals and debit card purchases of about 2 million of its customers whose accounts were exposed. At first, Chase limited customers to cash withdrawals of $100 a day and total purchases of $300 a day. It has since relaxed the restrictions to cash withdrawals of $250 and total purchases of $1,000 a day.
“We realize this could not have happened at a more inconvenient time with the holiday season upon us,” Chase said in its notice to its customers.
Doug Johnson, vice president of risk management policy at the American Bankers Association, said he didn’t know of any other major card issuer taking such a step. Banks are walking a fine line, he said, trying to eliminate risk without hassling customers at a time of heavy holiday shopping and traveling.
San Francisco-based Wells Fargo & Co., the largest bank in Minnesota, and Minneapolis-based U.S. Bancorp said they aren’t canceling or restricting cards. The banks are among the nation’s major card issuers, and both have said they are monitoring cardholder accounts for unusual patterns and activity.
Wayzata-based TCF Financial Corp. said it was advising customers with Target debit cards linked to checking accounts at TCF to cancel their Redcard, or detach the card from their checking account.
Costly, inconvenient to cancel
There’s pressure not to cancel cards because it costs banks about $4 to $5 to replace a consumer’s card.
Mass card replacements would add to the overall cost of the breach, which is expected to rise to hundreds of millions of dollars in combined fraud losses, litigation and other expenses.
“I don’t think any of the issuers want to be the bank that stole Christmas, the Grinch, even though that’s probably what they should do,” said data security expert Brian Krebs, who broke the news of the breach last week on his blog Krebsonsecurity.com.
Canceling cards isn’t terribly practical, said Pascual of Javelin Strategy & Research. “If we had to replace a card for every breach, you’d get a new card every month,” he said.
Krebs and others who monitor black market card activity reported stolen cards flooding the underground market in recent weeks and commanding high prices because of the amount of data about the accounts, such as ZIP codes.
Krebs reported Sunday that there has been another huge batch of stolen cards trading on the digital black market, this time cards issued by non-U.S. banks. Easy Solutions Inc., an anti-fraud company in Miami that also monitors black market card activity, also blogged about new “world dumps.”
Daniel Ingevaldson, Easy Solutions’ chief technology officer, said many of the cards in the latest batch were issued by banks in Latin America. Krebs said he thinks they were from all over the world. Both said the latest batch appears to be linked to the Target breach.
“All the hallmarks are the same,” Ingevaldson said.
The stolen cards issued by non-U.S. banks may be more valuable now to crooks as U.S. cardholders and banks cancel their cards and clamp down on potential fraud, they said.
“This is going to be a process where unfortunately the lion’s share of the work falls on the banks,” Ingevaldson said.
Jennifer Bjorhus • 612-673-4683