The cyberattack on Target Corp. will cost Minnesota’s credit unions nearly $750,000 in replaced cards, data showed Wednesday.
The state’s credit unions will reissue 27,000 credit cards and 117,000 debit cards exposed in the breach, at a cost averaging $5.15 per card.
The Minnesota Credit Union Network, which disclosed the estimates Wednesday, said the numbers are based on a national survey by the Credit Union National Association.
The level of fraud detected on the cards still isn’t clear, and it’s not known how many cards already have been replaced.
Banks in Minnesota don’t yet have an estimate of their costs related to Target’s pre-Christmas breach.
In a news release, Mark Cummins, head of the Minnesota network, said the credit unions and their members “are having to cover those costs by themselves.”
Cummins urged Congress to consider legislation that would hold all players in the country’s payments system to comparable security standards and require merchants to reimburse credit unions for the costs of reissuing cards.
Nationally, banks and credit unions together have spent more than $200 million replacing about 22 million cards, about half of the 40 million credit and debit cards exposed in Target’s data security breach.
Seeking to recoup some of their losses, financial institutions are part of the dog pile of class action lawsuits that have been filed against the Minneapolis-based retailer.
The attack, one of the country’s largest recorded data breaches, will likely cost Target hundreds of millions of dollars over the next few years. Meanwhile, investigators are trying to figure out exactly how thieves pulled off the intricate heist and whether Target’s data security practices were in any way insufficient.
The Department of Justice first notified Target of suspicious activity with payment cards used at Target on Dec. 12. Ultimately, cyberthieves stole two sets of data: the payment card information of about 40 million people who bought merchandise in U.S. stores, and partial personal information, such as names and e-mail addresses, of about 70 million people. It’s not clear how much overlap there is between the two groups.
Thieves somehow infiltrated Target’s internal network with credentials stolen from an employee at a Pennsylvania heating and refrigeration company that works with Target, and introduced malware that attached to the point-of-sale devices at U.S. stores and grabbed unencrypted card data when shoppers swiped their cards at the checkout.