The hackers worked at unprecedented speed, carrying out their
operation from the day before Thanksgiving to this past Sunday, 19
days that are the heart of the crucial Christmas holiday sales
Target, the third-largest U.S. retailer, said on Thursday that it
was working with federal law enforcement and outside experts to
prevent similar attacks in the future. It did not disclose how its
systems were compromised.
The retailer was alerted its systems might have been compromised by
credit card processors who had noticed a surge in fraudulent
transactions involving credit cards that had been used at Target,
according to a person familiar with the investigation who was not
authorized to discuss the matter.
The timing of the breach could not have been worse for Target,
coming just before three of the four busiest days of what has been a
bruising holiday season for retailers, with the highest level of
discounting in years. Target last month lowered its profit forecast
for the year.
"Most of these attacks are just a cost of doing business," said Mark
Rasch, a former U.S. prosecutor of cyber crimes.
"But an attack that's targeted against a major retailer during the
peak of the Christmas season is much more than that because it
Investigators are still trying to understand how the attack was
carried out, including whether hackers found a weakness at Target's
computer network or through credit card services vendors. It was not
immediately clear what percent of the transactions at its brick and
mortar stores had been compromised but the company said its online
business had not been affected.
Massachusetts Attorney General Martha Coakley, who headed a
multi-state probe into a 2007 data breach at TJX Cos, said in a
statement that her office was talking to Target about the breach and
planned to work with other Attorneys General to determine whether
the company had proper safeguards in place.
New York Attorney General Eric Schneiderman said in a public
statement that he had asked Target for more information.
A customer in California filed a class-action lawsuit against the
company late on Thursday, the first of what lawyers said could be
many such suits.
Samantha Wredberg said in a court filing that she was a regular
shopper at Target and had used her credit card at a company store on
December 8. Besides seeking damages, Wredberg asked the court to
certify the lawsuit as class action.
She also asked the court to explore whether "Target unreasonably
delayed in notifying affected customers of the data breach".
The theft of credit and debit card data from Target customers could
end up costing hundreds of millions of dollars, but it is unclear
who will bear the expense, lawyers and industry sources said.
The affected payment cards include Target's REDcard private label
debit and credit cards as well as other bank cards, Target
spokeswoman Molly Snyder said. She declined to say if the incident
was affecting store traffic.
The largest breach against a U.S. retailer, uncovered in 2007 at TJX
Cos Inc, led to the theft of data from more than 90 million credit
cards over about 18 months.
Since then, companies have become far more adept at identifying
intruders. But criminals have responded by developing more-powerful
attack strategies, spending months on reconnaissance to launch
sophisticated schemes with the goal of extracting as much data as
they can in the shortest period of time.
Representatives for J.C. Penney Co Inc, Wal-Mart Stores Inc, Best
Buy Co Inc and Home Depot Inc told Reuters they believed their
systems had not been compromised in similar attacks.
Target will provide more details on costs related to the issue at a
later date, Snyder said. She declined to comment when asked if
Target expected potential fines from MasterCard, Visa and American
Express or saw a possible increase in merchant fees.
"It's so early in this investigation," Snyder said.
[to top of second column]
Avivah Litan, a Gartner analyst who specializes in cyber-security
and fraud detection, saw costs for Target. "They are going to pay
for any fraud on the card," she said. "They will get fined (by card
issuers) for noncompliance with payment card security standards.
Their merchant fee will probably go up a few basis points."
Target's shares closed down 2.2 percent at $62.15 on the New York
Stock Exchange on Thursday afternoon, while the Standard & Poor's
500 stock index fell 0.06 percent.
Target warned customers in an alert on its website that the
criminals had stolen names, payment card numbers, expiration dates
and security codes.
The company had identified the breach on Sunday and had begun
responding to it the same day, Snyder said. She declined to explain
why the retailer waited until Thursday to alert customers.
Krebs on Security, a security industry blog that broke the news on
Wednesday, said the breach involved nearly all of Target's 1,797
stores in the United States.
The U.S. Secret Service is working on the investigation, according
to an agency spokeswoman. A Federal Bureau of Investigation
spokeswoman declined to comment.
Customers began to complain early on Thursday via Target's Facebook
"Thank you Target for nearly costing me and my wife our identities,
we will never shop or purchase anything in your store again," said
"Shop at Target, become a target," remarked another. "Gee, thanks."
Target's Snyder said it had been getting an "extremely high" volume
of calls from customers.
JPMorgan Chase & Co, one of the biggest U.S. credit card issuers,
said it was monitoring the accounts involved for suspicious activity
and urged customers to contact the bank if they noticed any.
An American Express spokeswoman said the company was aware of the
incident and was putting fraud controls in place.
Major card brands typically offer their cardholders zero liability
and cardholders should contact their issuer if they spot suspicious
transactions, a Visa spokesman said, adding that a breached account
did not necessarily result in a fraudulent purchase.
"This could hurt the end of the holiday season if for no other
reason than many of their customers have to cancel cards ahead of
holidays," said Janney Capital Markets analyst David Strasser.
The breach also comes at a time Target is trying to build its online
business, which by some estimates is only 2 percent of sales.
"All consumers will hear is that Target is not a safe place to use
your credit card. That impacts trust, which in turn can impact
retail's fastest-growing and most trust-sensitive touch points:
online and mobile," said Carol Spieckerman, president of retail
strategy firm newmarketbuilders.
Still, consumers tend to have short memories with these things, so
it will likely be less of an issue next quarter, said Gartner
"(Consumers) care more about discounts than security," she said.
The case is Samantha Wredberg vs Target Corp, Case No. 13-cv-05901,
U.S. District Court, Northern District of California.
(Additional reporting by Sakthi Prasad, Siddharth Cavale, David
Henry, Marina Lopes, Phil Wahba and Peter Rudegeair; Editing by
Kirti Pandey, Rodney Joyce, Lisa Von Ahn, Jilian Mincer, Peter
Henderson, Phil Berlowitz, Bob Burgdorfer and Stephen Coates)
[© 2013 Thomson Reuters. All rights
Copyright 2013 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.