BOSTON (Reuters) — Target Corp said
hackers have stolen data from up to 40 million credit and debit
cards of shoppers who visited its stores during the first three
weeks of the holiday season in the second-largest such breach
reported by a U.S. retailer.
The hackers worked at unprecedented speed, carrying out their
operation from the day before Thanksgiving to this past Sunday, 19
days that are the heart of the crucial Christmas holiday sales
season.
Target, the third-largest U.S. retailer, said on Thursday that it
was working with federal law enforcement and outside experts to
prevent similar attacks in the future. It did not disclose how its
systems were compromised.
Target did not detect the attack on its own, according to a person
familiar with the investigation.
The retailer was alerted its systems might have been compromised by
credit card processors who had noticed a surge in fraudulent
transactions involving credit cards that had been used at Target,
according to the source, who was not authorized to discuss the
matter.
The timing of the breach could not have been worse for Target,
coming just before three of the four busiest days of what has been a
bruising holiday season for retailers, with the highest level of
discounting in years. Target itself last month lowered its profit
forecast for the year after disappointing sales in the third
quarter.
Complaints from customers began to surface on social media as they
learned of it early Thursday morning.
"Most of these attacks are just a cost of doing business," said Mark
Rasch, a former U.S. prosecutor of cyber crimes.
"But an attack that's targeted against a major retailer during the
peak of the Christmas season is much more than that because it
undermines confidence."
Investigators are still trying to understand how the attack was
carried out, including whether hackers found a weakness at Target's
own computer network or through credit card services vendors. It was
not immediately clear what percent of the transactions at its brick
and mortar stores had been compromised but the company said its
online business had not been affected.
Massachusetts Attorney General Martha Coakley, who headed a
multistate probe into a 2007 data breach at TJX Cos, said in a
statement that her office was talking to Target about the breach and
how the company is addressing it, and plans to work with other
Attorneys General to determine whether the company had proper
safeguards in place.
New York Attorney General Eric Schneiderman said in a public
statement that he had asked Target for more information as well.
Lawyers said that there will almost definitely be class action suits
against Target.
The affected payment cards include Target's REDcard private label
debit and credit cards as well as other bank cards, Target
spokeswoman Molly Snyder told Reuters on Thursday. She declined to
say if the incident was affecting store traffic.
The largest breach against a U.S. retailer, uncovered in 2007 at TJX
Cos Inc, led to the theft of data from more than 90 million credit
cards over about 18 months.
Since then, companies have gotten far more adept at identifying
intruders. But criminals have responded by developing more-powerful
attack strategies, spending months on reconnaissance to launch
highly sophisticated schemes with the goal of extracting as much
data as they can in the shortest period of time.
Representatives for J.C. Penney Co Inc, Wal-Mart Stores Inc, Best
Buy Co Inc and Home Depot Inc told Reuters they believed their
systems had not been compromised in similar attacks.
Target will provide more details on costs related to the issue at a
later date, Snyder said. She declined comment when asked if Target
expected potential fines from MasterCard, Visa and American Express
or saw a possible increase in merchant fees.
"It's so early in this investigation," Snyder said.
Avivah Litan, a Gartner analyst who specializes in cyber-security
and fraud detection, saw costs for Target. "They are going to pay
for any fraud on the card," she said. "They will get fined (by card
issuers) for non-compliance with payment card security standards.
Their merchant fee will probably go up a few basis points."
Target's shares closed down 2.2 percent at $62.15 on the New York
Stock Exchange on Thursday afternoon, while the Standard & Poor's
500 stock index fell 0.06 percent.
Target warned customers in an alert on its website that the
criminals had stolen names, payment card numbers, expiration dates
and security codes.
The company had identified the breach on Sunday and had begun
responding to it the same day, Snyder said. She declined to explain
why the retailer waited until Thursday to alert customers about the
breach.
Krebs on Security, a closely watched security industry blog that
broke the news on Wednesday, said the breach involved nearly all of
Target's 1,797 stores in the United States.
The U.S. Secret Service is working on the investigation,
according to an agency spokeswoman. A Federal Bureau of
Investigation spokeswoman declined to comment.
Unhappy customers began to weigh in early on Thursday, posting
complaints on Target's Facebook page.
"Thank you Target for nearly costing me and my wife our identities,
we will never shop or purchase anything in your store again," said
one posting.
"Shop at Target, become a target," remarked another. "Gee, thanks."
Target's Snyder said it has been getting an "extremely high" volume
of calls from customers and is adding employees to its call centers
to answer questions on security breach.
Krista Brewer, 27, a student at Bridgewater State University at
Braintree, Massachusetts, sent Target an email and canceled her
credit card on Thursday because she had used it multiple times in
recent weeks at the store.
"If they don't do anything for the customers who had their cards put
at risk, such as coupons or a special deal, I think I will avoid
shopping there in the future," she said. "I'm very security
conscious, and they aren't saying exactly how the breech happened."
JPMorgan Chase & Co, one of the biggest U.S. credit card issuers,
said it was monitoring the accounts involved for suspicious activity
and urged customers to contact the bank if they noticed any.
An American Express spokeswoman said the company was aware of the
incident and was putting fraud controls in place.
Major card brands typically offer their cardholders zero liability
and cardholders should contact their issuer if they spot suspicious
transactions, a Visa spokesman said, adding that a breached account
does not necessarily result in a fraudulent purchase.
"This could hurt the end of the holiday season if for no other
reason than many of their customers have to cancel cards ahead of
holidays," said Janney Capital Markets analyst David Strasser.
The breach also comes at a time Target is trying to build its online
business, which by some estimates is only 2 percent of sales.
"All consumers will hear is that Target is not a safe place to use
your credit card. That impacts trust, which in turn can impact
retail's fastest-growing and most trust-sensitive touch points:
online and mobile," said Carol Spieckerman, president of retail
strategy firm newmarketbuilders.
Still, consumers tend to have short memories with these things, so
even if it is bad now, it will likely be less of an issue next
quarter, said Gartner analyst Litan.
"(Consumers) care more about discounts than security," she said.
(Additional reporting by Siddharth
Cavale, David Henry, Marina Lopes, Phil Wahba and Peter Rudegeair;
editing by Kirti Pandey, Rodney Joyce, Lisa Von Ahn, Jilian Mincer,
Peter Henderson, Phil Berlowitz and Bob Burgdorfer)