Anxious consumers besieged Target Corp. on Thursday after the company acknowledged that hackers may have gained access to credit and debit card information from 40 million shoppers.
The swarm of people who tried to access their Target Redcard account information online or who called customer service overwhelmed the company’s systems, piling frustration on top of the questions surrounding the brazen attack.
Target confirmed early in the day that a data breach had potentially exposed card information from shoppers who made purchases in the company’s nearly 1,800 U.S. stores between Nov. 27 and Dec. 15. Online transactions weren’t affected, the company said.
The Minneapolis-based company said it took immediate steps to eliminate the problem once it was identified. The company didn’t provide any explanation for how it happened, but a person familiar with the investigation said that malicious software was placed on Target’s point-of-sale terminals near store registers, where customers swipe their cards.
Target spokeswoman Katie Boylan said the company’s investigation is continuing. “This is obviously a sophisticated crime that we’re dealing with,” Boylan said.
A range of credit cards, including Visa, American Express and Target’s own Redcard, were likely exposed, although the extent of the impact is far from clear.
Thieves accessed customers’ names, credit and debit card numbers, card expiration dates and CVVs, the card verification value that shoppers know as the three-digit security number typically displayed on the back of their cards.
Boylan declined to answer questions about whether Target knows of customers who have seen fraudulent charges made on their cards as a result of the breach, which was disclosed by computer security blogger Brian Krebs on Wednesday.
She also declined to make one of Target’s payments experts available to answer questions about how the attack occurred.
Target is working with an unidentified third-party forensics company to investigate the attack. “We’re putting all of the appropriate resources on this issue,” Boylan said.
The Secret Service is also investigating the breach but won’t release any details of its probe, said spokesman George Ogilvie in Washington. The Secret Service investigates instances of device fraud, such as compromised ATMs and cyberintrusions, Ogilvie said.
Major card issuers such as Wells Fargo & Co. and Capital One Financial Corp. issued statements Thursday reminding that cardholders are not responsible for fraudulent activity on their cards.
Caller gets a busy signal
Boylan said Target was experiencing significantly higher customer calls than normal because of the security breach, as well as heavier traffic to the Redcard portion of its website. The company was adding people and system capacity to address the delays, she said.
Kevin Hale, a retired dental technician in Wood Dale, Ill., said he called Target when he wasn’t able to access his Redcard account to check for suspicious activity. He got a busy signal.
Hale said he wanted some peace of mind since he used his Target card recently to buy groceries.
“I’m only concerned because I did shop there during the period’’ of the security breach, he said.
Scott Mayer of Minneapolis said he was a victim of the data breach. He shopped at Target on Thanksgiving, and his credit card company notified him of a fraudulent purchase made at a Best Buy in Seattle a few days ago.
Mayer said he wouldn’t be leery about using a credit card at Target again, however.
“It can happen to anybody,” he said.
Some analysts believe the amount of fraud resulting from the breach might be relatively low. But Target’s expenses for the fraud could be much higher, they added, if it has to reimburse banks for fraud losses and card reissuing costs, and pay penalties to credit issuers.
Avivah Litan, a financial services security analyst at Connecticut-based research firm Gartner, said that in most breaches no more than 10 percent of the stolen card numbers get used for fraud, largely because there is a glut of stolen numbers on the black market.
“In the end the fraud committed will probably be $25 million or less,” Litan said.
The timing of the breach, and its disclosure less than a week before Christmas, makes the situation potentially damaging for Target and complicates its response.
“How many people right now are looking under their tree thinking, ‘Uh … I can pick out five different packages that all came from Target during that exact time,’ ” said James Wester, research director for global payments at Framingham, Mass.-based IDC. “This is probably going to cause some pretty serious ramifications.”
Marcus Rogers, a professor of cyberforensics at Purdue University, said one option to prevent the risk of compromised card numbers being used by thieves is to immediately cancel the cards and issue new ones.
But Rogers said canceling huge numbers of credit and debit cards in the late days of the holiday season would cause “chaos” that retailers want to avoid so close to Christmas.
“For the thieves, the timing is no coincidence,” Rogers said. “They are betting that Target and the credit card companies don’t want to hurt the economy by canceling the stolen cards.”
Target said it will close and replace its own credit cards only after evidence of theft.
A Visa spokeswoman said Visa also believes it’s unnecessary to pre-emptively cancel.
“Unauthorized access does not equal fraudulent activity,” Target’s Boylan said.
Staff writer John Ewoldt contributed to this report.