Target Confirms Hackers Stole 40 Million Credit Cards

Hackers 19-day heist scoops up all ingredients required to make counterfeit cards.

Hackers have successfully stolen 40 million credit and debit cards from retail giant Target.
The retailer confirmed Thursday that the massive data breach, which occurred between November 27 and December 15, resulted in attackers gaining unauthorized access to customers names, credit or debit card numbers, card expiration dates, and three-digit CVV security codes. That information is all that criminals would need to make fraudulent transactions online or create working, counterfeit cards in the names of customers -- or in Targets marketing-ese, guests.
Target today confirmed it is aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its US stores, according to a
statement released Thursday by Target
. Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue.
Target said it had immediately notified law enforcement agencies as soon as it discovered the breach, and that it planned to hire a third-party digital forensics firm to investigate the breach and recommend information security improvements.
Targets first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause, said Gregg Steinhafel, Targets president and CEO, in a statement. We take this matter very seriously and are working with law enforcement to bring those responsible to justice.
[Whats on your list?
My 5 Wishes For Security In 2014
.]
The attack appears to have been timed to take advantage of the busiest shopping day of the year, Black Friday, which this year fell on November 29. But the heist was likely planned far in advance. Due to the size and scale, this seems like it would have been a planned attack that began well before Black Friday, said Matt Standart, HBGarys threat intelligence director, via email. To be successful, the adversary would have performed detailed reconnaissance and other activities in preparation for their primary mission objective. This would have required infrastructure compromise, entrenchment, command and control, and privileged access, all of which take time and effort.
Targeting the holiday shopping period -- and especially Black Friday -- was an astute move on the part of attackers, he added. For starters, they could have amassed the maximum possible amount of card data before being detected. In addition, the volume of sales, and resulting load on Targets IT infrastructure, might have served as a distraction to give more operational security to the adversary, Standart said.
Target operates not only Target.com, but also 1,797 stores in the United States and 124 in Canada. But based on the companys statement, only card data from its brick-and-mortar US stores appear to have been compromised. We cant say for sure that all stores were impacted, but we do see customers all over the US that were victimized, an anti-fraud analyst at one of the countrys top 10 card issuers
told security reporter Brian Krebs
.
The massive breach puts an unfortunate wrinkle on Minneapolis-based Targets corporate promise: Expect more. A lot more. While the breach didnt involve as many card numbers as the biggest such breach to date -- involving thieves stealing details on up to 90 million cards from T.J. Maxx parent company TJX, it is well above last years theft of 1.5 million accounts from payment processor Global Payments. In July, meanwhile, the Department of Justice announced charges against a Russian cybercrime ring that was accused of hacking into the systems of such businesses as NASDAQ, 7-Eleven, and JetBlue and stealing 160 million credit card numbers.
Target will now face sharp questions about whether it was storing card data in encrypted format, and whether it had been certified as being compliant with the Payment Card Industry Data Security Standard (PCI-DSS). A Target spokesperson, emailed for comment on the above questions, didnt immediately respond.
But the retailer is to be commended for coming clean about the breach relatively quickly. The company Thursday posted a
data breach notification
on its site that includes extensive details -- including state-by-state breakdowns -- about how customers can monitor for any identity theft that might result.
Target has warned customers to beware of fraudulent use of their credit and debit card numbers. If you see something that appears fraudulent, REDcard holders should contact Target, others should contact their bank, the company said, referring to its Target-branded REDcard debit and credit cards. But so far, the company hasnt offered to provide free identity theft monitoring services to affected customers. But anyone hit with credit or debit card fraud should be able to contest the charges with their card issuer, provided they do so in a timely fashion -- usually within 60 days of receiving a related statement.
Going forward, the concern is that anyone who shopped at -- or with -- Target during the 19-day breach window is that the stolen card data could be used at any point in the future. Hackers often sell stolen card data in bulk to others via
carder forums
and other underground cybercrime marketplaces. Other criminals may then purchase the information and use it to make fraudulent online purchases, or encode the information into fake credit cards. These forged cards are distributed to money mules, who use them to make fraudulent in-store purchases. They then resell the goods to amass cash.
In the case of the Target breach, this cybercrime cycle could be broken if credit card issuers cancel all affected card numbers and issue new cards. Of course, it remains to be seen if they -- or Target -- are willing to foot the related bill.
Mathew Schwartz
is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.
Knowing your enemy is the first step in guarding against him. In this Dark Reading report,
Integrating Vulnerability Management Into The Application Development Process
, we examine the world of cybercriminals -- including their motives, resources and processes -- and recommend what enterprises should do to keep their data and computing systems safe in the face of an ever-growing and ever-more-sophisticated threat. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Target Confirms Hackers Stole 40 Million Credit Cards