= Subscriber content; or subscribe now to access all American Banker content.

Target Data Breach Has Become a Card Data Fire Sale: Krebs

Retail giant Target confirmed Thursday morning that the credit and debit card data of 40 million of its shoppers has been compromised. The company says the problem has been identified and resolved.

But meanwhile, although there are no signs yet of actual fraud committed on these cards, the thieves are selling the card account information as fast as they can on underground sites, according to security blogger and expert Brian Krebs, who first broke this story Wednesday.

In a statement this morning, Minneapolis-based retailer Target reported that approximately 40 million credit and debit card accounts may have been impacted between November 27 and December 15 of this year. All 1,800 physical stores were affected. Target is partnering with a third-party forensics firm to conduct an investigation of the incident, it said.

Little is known yet about how the data was compromised. "My best guess is [Target] got hit by hackers who got into their network, and were able to push malicious software out to the point of sale systems," says Krebs, who spoke to American Banker in an exclusive interview Thursday morning. "We probably won't know for certain for weeks or months."

Target won't want to talk about how it was hacked until it's confident it can't be breached that way again, he notes. "When you're talking about 1,800 stores, that's going to take time," he says. The compromised data may have existed on a transaction aggregation server that handles transactions in large batches.

What is known is that the cybercriminals have obtained the basic account data stored on the magnetic stripes of the credit and debit cards - information such as name, account number and card expiration data. And they're selling the card data on underground websites.

"The guys who stole them can't offload them fast enough, because 5-10% of [the cards] are about to expire," Krebs notes. "There's a fire sale going on right now -- they lose value for every day they don't sell them." Now that the story has broken and issuers are thinking about cancelling the cards, the deadline pressure is on for the hackers.

Card issuers could go into these underground forums and start buying up some of the cards to learn more about the theft, Krebs suggests. The price for the freshest card account data runs about $44 apiece.

There's a strong possibility that card fraud will start to take place with this stolen data.

"If they're able to duplicate cards as a result of this, that means they'll have some kind of point of sale access," Krebs says. Some of the affected cards are debit cards, which means counterfeit cards could be used at ATMs as well as POS terminals, especially if PIN numbers were stolen as well.

In fact, Target's Red card can be used for debit or credit - customers can tie their existing bank account to their Target card and use it as a debit card.

This breach is a wake-up call for all card issuers and retailers.

"Hackers that do this kind of stuff are really good at finding vulnerabilities in specific products," Krebs says. For instance, if the hackers found a vulnerability in Target's POS system that lets them move through the system, there's a good chance other retailers have a similar setup and could be hit the same way.

"I guarantee if you're a big box retailer, you're taking a real close look at this right now," Krebs says.

Banks that issue cards affected by a data breach sometimes have to re-issue compromised cards. But this is a tough call.

"A lot of issuers will take a wait-and-see approach," Krebs says. "They're probably getting inundated with calls from people who shop at Target who are freaking out about what to do. The last thing they want to do is cancel these people's cards around Christmas. I'm positive Target would much rather have seen this come out on December 26."

When consumers' cards are cancelled in a case like this, they often become angry at their bank. And without their cards, they won't be able to make purchases during the busiest shopping season of the year.


(8) Comments



Comments (8)
@Patrick, in my case, the hackers were apparently performing test transaction on my stolen credit card info withing hours of my Target purchase.
Posted by jim_wells | Monday, December 23 2013 at 8:42AM ET
Only speculation but the hackers likely had negotiated the data sale before they stole it. As mentioned by Brian, the half life on this stuff is very short. Based on past observation, someone is usually working the file within hours of the data theft.
Posted by PatrickReily | Monday, December 23 2013 at 8:24AM ET
I think the Target Red debit cards will be the easiest for Target to control since they are closed loop cards that can only be used in Target stores. Programming to alert the clerk if a Red debit card is swiped could be put in place to have the clerk verify the card swiped is a valid Red card and the encoded information matches the card account number on the face of the card.
Posted by Just Saying | Friday, December 20 2013 at 8:42AM ET
It is reassuring to hear Citibank has gone the extra mile to protect the U.S. cardholders. Confident all issuers will follow Citibank's lead and the industry will address the root cause swiftly keeping the cardholder data behind the banks firewalls and out of harms way...
Posted by patricia_mccormick | Thursday, December 19 2013 at 4:55PM ET
I'm concerned what Target's plans are for reissuance of their Red Cards. For debit use, those cards are mapped to clear against a consumer's checking account via ACH. Even if the bank reissues a debit card, it would seem that the Red Card could continue to be used to access the checking account, and there's nothing proactive that the bank can do, and will have to be super-vigilant and absorb the costs to monitor for potentially fraudulent ACH transactions and reject them within regulatory time frames. I would consider it negligent if Target does not reissue their own Red Cards.
Posted by paulcm | Thursday, December 19 2013 at 1:35PM ET
Dave, yes I consider myself fortunate. But I winced when I read the line, "A lot of issuers will take a wait-and-see approach," above.
Posted by jim_wells | Thursday, December 19 2013 at 12:37PM ET
Jim, The timing of this data breach right at the peak Holiday shopping week will require extraordinary measures -- thanks for sharing your story of Citi stepping up and going above and beyond the usual practice.
Posted by dave_fortney | Thursday, December 19 2013 at 12:27PM ET
Citibank called me Sunday afternoon to inform me that my card details had been compromised when I used the card at Target that morning. They cancelled the card immediately after 2 charges of 55 cents and $1 and FedExed me a new card which arrived Tuesday -- 2 days before the public announcement of the security breach. Happy to know at least one area of a Too Big To Fail Bank is working for customers, rather than against them.
Posted by jim_wells | Thursday, December 19 2013 at 11:38AM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.