Retail giant Target confirmed Thursday morning that the credit and debit card data of 40 million of its shoppers has been compromised. The company says the problem has been identified and resolved.
But meanwhile, although there are no signs yet of actual fraud committed on these cards, the thieves are selling the card account information as fast as they can on underground sites, according to security blogger and expert Brian Krebs, who first broke this story Wednesday.
In a statement this morning, Minneapolis-based retailer Target reported that approximately 40 million credit and debit card accounts may have been impacted between November 27 and December 15 of this year. All 1,800 physical stores were affected. Target is partnering with a third-party forensics firm to conduct an investigation of the incident, it said.
Little is known yet about how the data was compromised. "My best guess is [Target] got hit by hackers who got into their network, and were able to push malicious software out to the point of sale systems," says Krebs, who spoke to American Banker in an exclusive interview Thursday morning. "We probably won't know for certain for weeks or months."
Target won't want to talk about how it was hacked until it's confident it can't be breached that way again, he notes. "When you're talking about 1,800 stores, that's going to take time," he says. The compromised data may have existed on a transaction aggregation server that handles transactions in large batches.
What is known is that the cybercriminals have obtained the basic account data stored on the magnetic stripes of the credit and debit cards - information such as name, account number and card expiration data. And they're selling the card data on underground websites.
"The guys who stole them can't offload them fast enough, because 5-10% of [the cards] are about to expire," Krebs notes. "There's a fire sale going on right now -- they lose value for every day they don't sell them." Now that the story has broken and issuers are thinking about cancelling the cards, the deadline pressure is on for the hackers.
Card issuers could go into these underground forums and start buying up some of the cards to learn more about the theft, Krebs suggests. The price for the freshest card account data runs about $44 apiece.
There's a strong possibility that card fraud will start to take place with this stolen data.
"If they're able to duplicate cards as a result of this, that means they'll have some kind of point of sale access," Krebs says. Some of the affected cards are debit cards, which means counterfeit cards could be used at ATMs as well as POS terminals, especially if PIN numbers were stolen as well.
In fact, Target's Red card can be used for debit or credit - customers can tie their existing bank account to their Target card and use it as a debit card.
This breach is a wake-up call for all card issuers and retailers.
"Hackers that do this kind of stuff are really good at finding vulnerabilities in specific products," Krebs says. For instance, if the hackers found a vulnerability in Target's POS system that lets them move through the system, there's a good chance other retailers have a similar setup and could be hit the same way.
"I guarantee if you're a big box retailer, you're taking a real close look at this right now," Krebs says.
Banks that issue cards affected by a data breach sometimes have to re-issue compromised cards. But this is a tough call.
"A lot of issuers will take a wait-and-see approach," Krebs says. "They're probably getting inundated with calls from people who shop at Target who are freaking out about what to do. The last thing they want to do is cancel these people's cards around Christmas. I'm positive Target would much rather have seen this come out on December 26."
When consumers' cards are cancelled in a case like this, they often become angry at their bank. And without their cards, they won't be able to make purchases during the busiest shopping season of the year.