Target warned its customers to keep a close eye on their credit card and bank statements after admitting it had a massive data breach.
Stolen information from some 40 million credit and debit cards used in its stores from Black Friday through Dec. 15 included names, credit or debit card numbers, card expiration dates and the three-digit security code, known as the CVV, on the back of cards, the retailer said.
Target spokesman Eric Hausman confirmed, however, it has "no indication that debit card PINs were impacted."
The huge breach is the latest in a growing problem for retailers that's increased as more companies outsource writing and maintaining software, says Andy Obuchowski, a director for security and privacy at consulting company McGladrey.
Following the well-publicized and highly litigated case in 2006 involving 46 million shoppers at TJX's stores, data breaches in recent years have hit Michael's, Stop & Shop, Barnes and Noble, Aldi and Subway, among others.
"This sort of hacking is absolutely on the rise, as the tools are more readily available for even novice hackers to utilize in their efforts to crack open companies' computer systems," says Adam Levin, chairman of Identity Theft 911 and Credit.com. "With a data breach of this type, the rewards — your money — are so great that it can only continue to increase."
The latest at Target is "pretty significant," says Siobhan MacDermott, chief policy officer at computer security firm AVG Technologies. She also says that as retailers such as Target rely more on data and glean more customer information, they increasingly become the targets of organized crime groups.
Often, digital break-ins are undetected and reported belatedly, only after customer victims discover them days later. Consumers usually are notified through letters from their credit card issuers and banks, MacDermott says.
This breach is particularly problematic because credit card issuers would face a firestorm of criticism if they canceled that many cards a week before Christmas, with no time to replace them all, says retail crime expert Joe LaRocca, former head of loss prevention for the National Retail Federation. Even though consumers would probably be responsible only for up to $50 of unauthorized purchases, this makes it especially important for shoppers to monitor their credit card statements if they shopped at Target stores during the period, he said.
Some breaches occur when fraudsters replace checkout line card readers with ones that wirelessly transmit data to banks but also to the criminals. That was how the TJX breach started.
But breaches as large as Target's are more likely to involve its network or software, perhaps when an employee or a contractor provides access to the "back door" of the system, LaRocca says. The access can be intentional or unwitting.
"In my opinion, someone found a way to manipulate the system to extract the numbers," says LaRocca, founder of RetaiLPartners, a loss prevention consulting company. "When a network intrusion occurs, typically a vulnerability is discovered and may involve some Inside collusion. Someone opened the back door or carelessly left the back door open" by not using proper security practices.
Target said it began investigating the incident as soon as it learned of it. The problem was first reported on a blog by security expert and former reporter Brian Krebs. A third-party forensics firm is working with Target to investigate.
Retailers are struggling to stay ahead of the criminals in this area, experts say. "No matter how safe any individual person is with their data, customer databases like Target's represent a nearly irresistible source of people's personal information ... to hackers than going after individuals one by one," says Levin.
How to prevent and detect card fraud:
•Regularly review credit card and bank statements for possible misuse.
•Report suspicious activity to credit card companies or financial institutions immediately.
•Contact the Federal Trade Commission or law enforcement with any reports of identity theft or to learn about steps you can take to protect yourself from identity theft.
•Get credit reports from each nationwide credit reporting agency. You can get one free a year from each of these under law: Experian, TransUnion and Equifax. Request that any fraudulent transactions be deleted.
Consumers concerned about this type of thing happening to them also can place a fraud alert on their credit report file to help protect their credit information, says Lisa LaBruno, senior vice president of retail operations for the Retail Industry Leaders Association.
Fraud alerts can make it more difficult for someone to get credit in the consumer's name because it tells creditors to follow certain procedures to protect the consumer. As soon as the credit reporting agency processes a fraud alert, it will notify the other two agencies, which then must also place fraud alerts in the consumer's file. But doing this can delay a consumer's ability to obtain legitimate credit.