Target Corp. is confronting a security breach that potentially exposed the credit and debit cards of 40 million customers who purchased merchandise between Nov. 27 and Dec. 15, the company said in a statement early Thursday morning.
“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” the statement said.
The Minneapolis-based company did not respond to requests Wednesday for comment on the extent of the data theft, which was first disclosed in an online report by Brian Krebs, a journalist who specializes in computer security.
Target said that it has "identified and resolved the issue" that allowed the security breach.
A spokeswoman for American Express confirmed the breach in an interview with the Star Tribune, and the Secret Service confirmed to the Wall Street Journal and the Associated Press that it has begun its own investigation.
“We’re working with Target on this,” Marina Norville, an American Express spokeswoman, said Wednesday. “It’s an investigation right now. We’ve put fraud controls in place.”
On his website, Krebs quoted unnamed sources as saying the computer breach occurred on or around Black Friday, the day after Thanksgiving and one of the year’s busiest shopping days. It may have continued until Dec. 6 or Dec. 15, sources told Krebs, involving transactions in stores but not online purchases.
Krebs said sources at two of the top 10 credit-card issuers said that the breach affected nearly all Target locations nationwide and that it “involves the theft of data stored on the magnetic stripe of cards used at the stores.”
With nearly 1,800 stores nationwide, a systemic breach of security at Target lasting a week or more would have the potential for compromising the credit and debit cards of millions of customers.
Krebs, a former Washington Post reporter whose blog at krebsonsecurity.com follows computer security issues, said in an interview that he learned about the problem from banks that are starting to see it mushroom on credit accounts.
Krebs said he heard “from five different people at five different banks, and the banks are being tipped by the card companies,” such as Visa and MasterCard. “At least two major card issuers [banks] said hundreds of thousands of cards had been compromised, and there are dozens of card issuers, so that adds up to millions of cards.”
American Express hasn’t sent notices to its customers yet because so far it has seen no Target-related fraud on its cards, Norville said.
“We just got wind of this,” she said. “If we do see a fraud impact on customer cards, that’s when notification comes into play.”
The Wall Street Journal reported Wednesday that the Secret Service is investigating, though it said an agency spokesman wouldn’t discuss an ongoing probe.
Krebs said he hasn’t been told how the breach occurred, and he stressed that he doesn’t know whether the stolen card numbers have been used in fraud attempts. He cautioned, however, that there is often a lag between the theft of card numbers and their use in attempted fraud.
Thieves in possession of account numbers could use the information to make counterfeit credit cards and, if the personal identification numbers for the cards were also intercepted, the phony cards could be used to withdraw cash from ATMs.
Consumers should watch their card statements for bogus charges and notify their banks if they see any so they won’t be liable.
“All kinds of fraud increase during the holidays,” Krebs said. “Thieves know that a lot of merchandise is being charged and that people are less likely to notice fraudulent charges.”
It’s uncertain whether the news could depress Target sales during the rest of the holiday season. But Krebs said Target could pay a price if banks look to recover costs stemming from the security breach from the retailer.
“If this is a large breach, and some people are saying it is going to be pretty big, the banks will try to recover from Target the cost of reissuing new cards,” Krebs said.
Other retailers have fallen victim to ploys that allowed customers’ credit numbers to be gleaned from store payment systems.
The largest credit card breach at a U.S. retailer surfaced in 2007, when TJX Companies, the parent of TJ Maxx and Marshalls, disclosed that data from 45.7 million cards had been stolen by hackers over an 18-month period.