As millions of bargain-crazed customers swarmed through Target stores on Black Friday, one of the most audacious heists in retail history was quietly underway.
A band of cyberthieves pilfered credit and debit card information from the giant retailer’s customers with pinpoint efficiency as shoppers bought discounted sweaters and electronic gear on the unofficial launch of the holiday shopping season.
By the time the scheme was discovered, the unidentified hackers had made off with financial data of 40 million Target customers over a 2 1/2-week period. It ranks as one of the nation’s biggest retail cybercrimes on record.
Target disclosed the security breach Thursday, saying the thieves had purloined customer names, card numbers and a security code encrypted in the magnetic strip. The theft enables the culprits to make phony credit cards, make fraudulent purchases or siphon money from bank accounts.
The data breach underscored the evolving sophistication of cybercriminals and the persistent vulnerability of retailers and consumers despite dozens of past incidents at major retailers.
“How do you get 40 million credit cards and no one knows about it?” said Ken Stasiak, chief executive of SecureState, which investigates cybercrimes.
The Minneapolis retailer said the hack occurred between Nov. 27, just before the annual holiday shopping frenzy, and Dec. 15. The breach affects people who bought goods at any of Target’s 1,797 stores nationwide, but not those who made purchases online.
In previous attacks against retailers, “skimmers” placed inside credit-card machines at checkout counters grabbed data from the cards’ magnetic stripes. Hackers have also targeted Wi-Fi networks that transmit data within stores.
The scope of the Target attack suggested that criminals might have gained access to encrypted customer information on a central database, security experts said.
“Whoever did this is pretty sophisticated – it’s most likely not some teenager sitting in his room,” said Peter Toren, a former prosecutor with the Department of Justice’s IP and Computer Crimes division.
Target didn’t give details about how the scheme may have been carried out. The Secret Service said it is investigating. Banks and credit card companies rushed to assure customers they would not be liable for any fraudulent transactions.
Customers who think they may be affected should scrutinize card statements and free online credit reports for suspicious behavior, experts said.
The Target fiasco could cost consumers $4.1 billion, almost all from potential debit card losses. Beyond that, victims collectively could spend as many as 131 million hours getting their accounts in order, according to Javelin Strategy & Research.
Now that Target and authorities are on to the scheme, the culprits are likely to rush to capitalize on the stolen information. Shoppers making massive last-minute Christmas purchases could get a nasty surprise.
“The shelf life of those cards is down to days,” said Alex Moss, managing partner at security firm Conventus. “If consumers’ data was compromised, they could find their card balances maxed out very quickly, and then they’re stuck until the investigation is over. That could put a huge portion of people in a tight spot, particularly during the holiday season.”
The Charlotte Observer welcomes your comments on news of the day. The more voices engaged in conversation, the better for us all, but do keep it civil. Please refrain from profanity, obscenity, spam, name-calling or attacking others for their views.
Have a news tip? You can send it to a local news editor; email email@example.com to send us your tip - or - consider joining the Public Insight Network and become a source for The Charlotte Observer.Read moreRead less