Target Confirms Point-Of-Sale Data Breach, Announces It Exposed 40 Million Credit Card Numbers

Today retailer Target announced that between November 27 and December 15 its point-of-sale systems – the cash registers mounted at the check-out areas of its stores – suffered an attack that exposed an estimated 40 million credit and debit card numbers. The company announced that it has “alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts.” It said it has hired outside support to investigate the source and method of the breach.

Thieves made off with customer names, card numbers, as well as expiration dates and the three-digit CVV security code. Only customers who visited Target stores were compromised.

The company moved quite slowly on this breach. On December 12 Brian Krebs reported the first rumors of the attack, suggesting it consisted of a wholesale scraping of “track data,” the data found on each credit card magnetic track. Krebs suggests that the thieves may have broken into the stores’ wireless networks and grabbed the card information as it was transferred from the cash registers.

Target spokesperson Katie Boylan said that the company is currently “working with authorities and a leading third-party forensics firm” and explained that it was an “ongoing investigation [and that] it was not appropriate to comment at this time.”

“Target put all the appropriate resources on the issue,” she said.

Breaches like these are not uncommon but it’s rare to find one so far-reaching. In 2009 a payment systems provider lost 130 million card numbers in an attack. However, this is one of the most high profile attacks to date.

“Loss of the track information from the credit cards is particularly nasty as it can allow for card cloning. That said, just the cardholder’s name, card and security code has the potential for widespread online ordering fraud which can be particularly nasty considering we’re in the midst of the holiday season,” said James Lyne, global head of security research at Sophos.

Target recommends customers “remain vigilant for incidents of fraud and identity theft by regularly reviewing their account statements and monitoring free credit reports.”