Target says data stolen from 40 million shoppers
SAN FRANCISCO — Target confirmed Thursday that it was investigating a security breach involving stolen credit card and debit card information for 40 million of its retail customers.
Target’s announcement came one day after a security blogger, Brian Krebs, first reported the breach. In a statement, Target confirmed that criminals gained access to its customer information on Nov. 27 — the day before Thanksgiving and just ahead of one of the busiest shopping days of the year — and maintained access through Dec. 15.
Target said it had confirmed that its online customers were not affected by the breach, which appears to have been isolated to the point-of-sale systems in Target’s retail stores.
Target said that cybercriminals had accessed customer names, credit or debit card numbers, expiration dates and three-digit security codes for 40 million customers who had shopped at its stores.
Immediately after discovering the breach, Target said, it alerted federal authorities and financial institutions, and is currently working with a third party forensics firm to conduct a thorough investigation.
Brian Leary, a spokesman for the Secret Service, which investigates financial fraud, said the agency was investigating.
Target advised its store customers to scan their credit and debit accounts for unauthorized transactions and check their credit reports.
“We take this matter very seriously and are working with law enforcement to bring those responsible to justice,” Gregg W. Steinhafel, Target’s chairman and chief executive, said in a statement.
Point-of-sale systems have become a major target for cybercriminals in recent years. By breaching point-of-sale systems, cybercriminals can gain access to the so-called “track data” on credit and debit cards that can be sold, in bulk, on the black market and used to create counterfeit cards.
A similar breach affected Barnes & Noble stores last year. Last year, criminals also breached Global Payment Systems, one of the biggest card transactions processors. The biggest known security compromise to date was an attack at Heartland Payment Systems, another credit card processor, in 2009. Criminals used malware to break into the company’s internal network and steal data for 130 million cards.
In such cases, security experts say a company insider could have inserted malware into a company machine, or persuaded an unsuspecting employee to click on a malicious link that downloaded software that gives cybercriminals a foothold into a company’s systems.