The thieves who broke through security at Target to steal the details of 40 million customer credit card and debit card accounts at the height of holiday shopping also left a message.
By MARK DAVIS
The Kansas City Star
Each of us is a target, all year round. They reminded us to be careful and alert with our money in all its forms.
“People are now going to stop and be more aware of what they’re doing … especially this time of year, when scams are very prevalent and people are less cautious about where their money is going,” said Jana Castanon at Apprisen, a national nonprofit consumer credit counseling agency.
Target’s announcement Thursday of the 19-day data breach showed that the perpetrators were particularly brazen for making a seasonal strike and for reaching right up to the checkout lines inside stores across the nation to steal the data. The data was stolen when customers who made purchases swiped their cards at Target’s U.S. stores.
The breach started Nov. 27, the day before Thanksgiving and in time for Black Friday’s shopping surge, and worked straight through Sunday.
The thieves carted off customer names, card numbers, expiration dates and even the three-digit codes on the back of up to 40 million cards.
No one claims to know exactly how they did that.
“The fact this breach can happen with all of their security in place is really alarming,” said Aviavah Litan, a security analyst with Gartner Research.
The misdeed, as dramatic as it seems, was painfully familiar.
It was not even the biggest such heist. A 2009 attack on credit card processor Heartland Payment Systems exposed 130 million cards to fraud.
The 19 days that Target’s breach was open wasn’t a record either.
A data breach at TJX Cos., which runs T.J. Maxx and Marshall’s, spanned 17 months and exposed at least 45.7 million cards to possible fraud into December 2006.
Nor is the Secret Service’s investigation of what happened at Target unusual. Its job, as part of the Treasury Department, includes digging into large-scale attacks on the nation’s payment system.
Last year, global credit and debit card fraud losses reached $11.27 billion, up 11.4 percent from the previous year, according to the Nilson Report, which tracks global payments.
Though card fraud has been on the rise, it still accounts for less than 6 cents of every $100 spent, said Nilson’s publisher, David Robertson.
Target, which has almost 1,800 U.S. stores and 124 in Canada, said it immediately told authorities and financial institutions on Sunday once it became aware of the breach. The company is teaming with a third-party forensics firm to investigate and prevent future problems.
Target said it closed the breach quickly, once it was discovered, and assured customers that shopping was safe again.
“Target’s first priority is preserving the trust of our guests, and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” Gregg Steinhafel, the company’s chief executive officer, said in a statement.
Ken Perkins, an analyst at Morningstar Inc., said the timing of the news is a concern with a few busy shopping days left before Christmas. The chain already had cut sales forecasts, and it ties discounts to use of its own branded REDcards to attract customers’ business.
“The longer-term risk is that people remember this who were going to sign up for REDcard and don’t,” Perkins said.
Litan said TJX quickly launched sales promotions after its data breach to lure shoppers back into stores, adding that Target’s breach probably would have little effect on sales.
“People care more about discounts than security,” she said.
Still, experts advised customers to consider canceling any cards used at Target stores while security had been breached.
Shoppers also need to watch closely the activity on those accounts for transactions they didn’t authorize. Reporting them immediately ensures you won’t be responsible for payment.
Too many consumers tried to do both Thursday. It left others to be frustrated as their phones got only busy signals from Target’s customer service line and their computers spun idly, unable to connect to the company’s website for online account statements.
Consumers’ vigilance shouldn’t expire any sooner than their credit cards or debit cards, said Apprisen’s Castanon.
“You need to always be checking your statements,” she said.
Consumers sometimes learn about such breaches well after they have happened. Thieves also may wait months before using stolen information. It means any monthly statement may contain transactions that you didn’t approve.
Security blogger Brian Krebs, a former reporter for The Washington Post, broke the story of a major data breach at Target on Wednesday. The company did not respond to his requests for information, but his sources had the guts of the story.
Customer card account information had been compromised, including Visa and MasterCard, and not just Target’s own REDcards, Krebs wrote. Online transactions were safe.
It began around Thanksgiving, and “investigators have unearthed evidence that the breach extended at least an additional week — possibly as far as Dec. 15,” his post said.
Target confirmed those points and provided more details in a statement Thursday morning, despite claiming to have stopped the breach on Dec. 15.
Glen Cameron, a University of Missouri journalism professor whose research includes public relations, said Target faced competing pressures in deciding when to go public.
There’s benefit, he said, in a company breaking the news to customers itself. It brings credibility and an air of competence or control over the situation.
Speaking too soon, however, can lead to mistaken “facts” that erode customer confidence.
“You don’t want to say something first and then have to retract it,” Cameron said.
That this breach hit as millions are doing their holiday shopping raised the stakes for Target. Every day the breach remained a secret, store traffic remained undamaged.
Frustrated consumers aired complaints on Target’s Facebook page.
“Target, I’ve always loved you, but you need to do something more than tell me to monitor my account,” said one post.
Target employees responded to many posts, often with specific advice.
“Hi Lisa — There is no immediate need to cancel REDcards or any other credit or debit cards used at Target stores between Nov. 27 and Dec. 15, 2013. — Karen,” one response said.
Arvest Bank posted a similar online message to its customers.
“We do not recommend customers replace their card at this time,” it said. “Please be assured that our fraud detection systems routinely monitor card activity and attempt to identify unusual and potentially unauthorized transactions.”
This reality check came from another poster on Target’s Facebook page.
“And no guarantee, no matter what measures put into place, will prevent it from happening again. Any time a company puts safe measures in place, there are always people out there that figure a way around it, and it goes on and on. Hence why cash is always best.”
Just be careful of strangers in the parking lot if you’re packing a big roll of bills. No one makes up for unauthorized use of cash.
Some answers on the Target break-in
What should I do if my card has been compromised?
Experts say to consider closing the account by contacting the bank or company that issued the card. It can be inconvenient to wait for a new account number and card, especially during the holiday shopping season. But it protects you from potential losses.
Watch your statement and report any transactions you did not authorize. If you see suspicious charges, report the activity to your credit card companies and call Target at 866-852-8680. You can report cases of identity theft to law enforcement or the Federal Trade Commission at 877-438-4338.
How long should I be vigilant if I suspect my information may have been compromised?
“Always. You need to always be checking your statements,” said Jana Castanon, media relations manager for Apprisen, a national nonprofit consumer credit counseling agency.
News about data breaches often isn’t immediately public, but shoppers can be victimized quickly.
With online access, most consumers can see the activity on their accounts at any time. And scammers may wait days, weeks or months before using a stolen account identity.
Which is safer to use, a debit card or credit card?
Either is fine, but experts recommend choosing “credit” on a PIN pad if you can when you use a debit card.
Castanon said it moves the transaction under the consumer protections of the payment company, such as Visa. Those may be stronger than the protections offered by the bank that issued you the card. The funds still will move like a debit, without exposing you to future payments or interest costs.
What else can I do?
Destroy your receipts when discarding them so no one can pull personal information from them, recommends Arvest Bank. It also said to protect your card number and don’t give it out over the phone to a caller unless you initiated the call to make a purchase from a reputable company.
How did the breach occur?
Target isn’t saying how it happened. Industry experts disagree about how the breach might have happened.
Avivah Litan, a security analyst with Gartner Research, said the breach may have been an inside job.
Thefts of this size are too big to be the work of company employees, said Ken Stasiak, founder and CEO of Secure State, a Cleveland-based information security firm that investigates data breaches. Stasiak said such breaches are generally perpetrated by organized crime or an overseas, state-sponsored hacker group.
Stasiak’s theory is that the hackers were able to breach Target’s main information hub and then wrote a code that gave them access to the company’s point of sale system and all its cash registers. That access allowed the hackers to capture the data from shoppers’ cards as they were swiped.
Who pays if there are fraudulent charges on my account?
The good news is in most cases consumers aren’t on the hook for fraudulent charges.
Credit card companies are often able to flag the charges before they go through and shut down your card. If that doesn’t happen, the card issuer will generally strip charges that you claim are fraudulent off your card immediately.
And since the fraud has been tied to Target, it will be the retailer that ultimately compensates the banks and credit card companies.
How much is this going to cost Target?
It’s too soon to tell. In addition to the fraud-related losses, banks may start charging Target a higher merchant discount rate, which is the amount retailers pay banks for providing debit and credit card services. While the percentage difference may be tiny, it could result in steep costs given the volume of transactions Target does, Litan said.
“The real winner in this is Wal-Mart,” she said.
How can future breaches be prevented?
Litan said an easy way to prevent fraud would be to eliminate the use of easily cloned magnetic strip cards and upgrade to the kind of microchip technology used in most other parts of the world.
But she said banks have pushed back against the idea because the microchip cards cost substantially more than the magnetic strip version and changing over all the country’s ATMs could drive the total costs into the billions of dollars.
Lyne said it’s unclear whether the use of microchip cards would have prevented the Target breach, since it’s unclear how it happened, but that it certainly wouldn’t hurt.
Why is the Secret Service investigating?
Though most famous for protecting the president, the Secret Service also is responsible for protecting the nation’s financial infrastructure and payment systems. As a result, it has broad jurisdiction over financial crimes. It isn’t uncommon for the agency to investigate major thefts involving credit card information.
Is it safer to shop online?
Target said its online shoppers weren’t compromised, but online transactions present their own dangers. Experts say to deal with recognized vendor sites and do what you can to ensure the transaction is secured, often with an image of a closed padlock.
Be alert to where links on a site actually take you. Hover over the link with your cursor and the address will be displayed on your screen. If it doesn’t look right, the link may be sending you to a scam.
• Closely monitor accounts for transactions you didn’t approve.
• Quickly report suspicious account activity to the bank or company that issued the card.
• Protect personal information by destroying receipts.
The Associated Press and Bloomberg contributed to this report. To reach Mark Davis, call 816-234-4372 or send email to firstname.lastname@example.org.