Target Corp. today confirmed it is aware of a data breach impacting approximately 40 million credit and data debit cards, making it one of the largest breaches of 2013 and one of the largest retail breaches in history.
The Minneapolis, Minn.-based retailer, the 36th largest company on the Fortune 500, said the massive data breach occurred between Nov. 27 and Dec. 15, during the busy holiday shopping period that covers Black Friday. The company noted that it had contacted the appropriate authorities and financial institutions immediately after it had been made aware of the situation, and that the issue that led to the breach has since been identified and resolved.
"Target's first priority is preserving the trust of our guests, and we have moved swiftly to address this issue so guests can shop with confidence," said Target CEO Gregg Steinhafel in a statement. "We regret any inconvenience this may cause."
Brian Leary, a spokesman for the U.S. Secret Service, has confirmed that the agency is investigating the Target data breach.
KrebsOnSecurity, the blog of veteran journalist Brian Krebs, was the first to report on the Target breach. Krebs' sources informed him that the breach was nationwide, but that as of now, it did not affect online customers.
Specifically, thieves seem to have targeted what is known as track data, which is the information stored on the magnetic strip of credit and debit cards. In his post detailing the breach, Krebs noted that such information can be used to forge counterfeit cards, though as of yet, it's unclear whether PIN data was also compromised as part of the breach. With the track data and PIN information, criminals could simply create a counterfeit card and withdraw money from ATMs.
John Kindervag, VP and principal analyst at Forrester Research, said those accumulated details were more than enough for the thieves to clone cards. In particular, he was taken aback by the revelation that CVV numbers were include in the breach, noting that the Payment Card Industry Security Standards Council (PCI SSC) has long prohibited the storage of CVV details.
“That’s a huge compliance no-no,” said Kindervag. “Ever before there was a PCI, the big thing was don’t store CVV data. So there’s a big whoops somewhere in this.”
He also speculated that the card information was likely stolen from a database simply because the huge number of records would be difficult to gather over the course of just a few weeks.
As for the potential consequences of the Target breach, Kindervag said it would be difficult to determine at this point. Still, by looking at the costs of other massive data breaches like those that affected TJX and Heartland Payment Systems, he said it would be difficult to imagine the retailer making it through this situation without incurring huge costs, potentially up to $100 million dollars.
"That's what I would estimate. There'll be free credit monitoring, breach notification, there'll probably have to be letters sent out, there'll be lawsuits. I mean, just the amount in legal fees will be exorbitant. They're going to see whatever profits they would have made from the holiday season be eroded by a data breach,” said Kindervag. “It's probably the most expensive negative thing that can happen to a company. It's just disastrous.”