12-19-13 UPDATE: Target has confirmed the attack, up to 40 million accounts could be at risk.
Detailed by the New York Times Bits blog, retail giant Target and federal authorities are currently looking into a security breach that potentially put millions of customer’s credit card and debit card numbers at risk. Most interestingly, the data breach didn’t involve customer data that was used to purchase products online, but rather customer data that’s gathered by the in-store point-of-sale systems. This data would likely include credit card numbers, debit card numbers, PIN numbers to access debit cards and other personal information that tied to a credit card purchase.
According to the original report by security expert Brian Krebs, theft of the payment data started on Black Friday and continued for nearly two weeks. The data collected is also known as “track data,” basically all the information included within that magnetic stripe on your credit or debit card. Using that data, criminals can encode that information on a counterfeit card as long as it has a magnetic stripe. This allows criminals to sell the cards in batches or use the cloned cards at retailers to purchase goods. The debit cards can be used at ATMs to withdraw money, assuming the debit card pin was also collected.
Up to this point, representatives at Target have declined to officially comment on the matter. According to a statement from an anonymous anti-fraud analyst at one of the largest credit card issuers in the United States, the period of time in which this data was continually stolen from Target continues to expand. Specifically, the analyst said “We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized.”
Assuming Target allowed personal information, like names, to be stolen along with the card numbers, the retailer has a legal obligation to notify all affected customers about the breach. Interestingly, if Target encrypted the personal information, then there’s no legal obligation to let customers know that their card numbers have been stolen. Of course, security experts recommend that all recent Target customers should keep an eye on their credit card accounts and change the pin numbers attached to their debit cards immediately.
When asked about potential steps consumers can take to protect their personal information, ZScaler vice president Michael Sutton said “There’s not a great deal customers can do, other than take the necessary steps, like changing passwords, credit card numbers if they have been informed of a breach. Beyond that, they can take proactive steps like shopping with reputable vendors. Then again, here we are talking about one of the largest retailers in the United States. No one is immune.”
A similar data breach occurred at 63 separate Barnes & Noble stores during late October 2012. Occuring within stores in California, Florida, Illinois, Massachusetts, New Jersey, Connecticut, New York, Pennsylvania and Rhode Island, thieves were able to steal credit and debit card data by utilizing a compromised PIN pad device. Barnes & Noble management notified all customers of those 63 stores about the breach and recommended changing PIN numbers attached to debit cards immediately.