Target Confirms Massive Data Breach; 40 Million Cards May Be Affected

Debit and credit cards used at Target stores across the U.S. between Nov. 27 and Dec. 15 may have been compromised. Purchases at Canadian stores and online at Target.com are not affected.

Financial institutions and consumers are reeling this morning from news of a massive data breach at Target stores nationwide that could affect as many as 40 million credit and debit card accounts, making it potentially one of the largest retail breaches in U.S. history.

The breach, first reported by security blogger Brian Krebs and confirmed by Target on Wednesday, affects cards used in the company’s 1,797 U.S. stores between Nov. 27 and Dec. 15. That includes Black Friday and the all-important shopping weekend after Thanksgiving.

Online purchases at Target.com and at the company’s 124 Canadian stores apparently were not compromised.

Target says customer names, card numbers, expiration dates and three-digit security codes are at risk. The type of data stolen — also known as “track data” — could make it possible to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If PIN data for debit transactions also was intercepted, thieves theoretically would be able to reproduce stolen debit cards and use them to withdraw cash from ATMs, Krebs said.

Target said on its website Thursday that it is working with a third-party forensics team to investigate the breach “and to examine additional measures we can take that would be designed to help prevent incidents of this kind in the future.” Financial institutions were notified immediately after the breach was discovered, the company said.

“Target’s first priority is preserving the trust of our guests, and we have moved swiftly to address this issue so guests can shop with confidence,” said Gregg Steinhafel, Target’s chairman, president and chief executive officer. “We take this matter very seriously, and are working with law enforcement to bring those responsible to justice.”

VISA and Mastercard officials said Thursday that they are working to identify compromised account numbers and would provide those files to card processors and issuers as soon as possible. In the meantime, consumers are being urged to monitor their accounts and report unauthorized activity to Target by calling 866.852.8680.

Northwest credit unions moved quickly to alert their members, many posting to Facebook and Twitter within hours of Target’s confirmation. All went to great lengths to assure members that accounts were being monitored and that policies were in place to mitigate risks. “Express Credit Union is taking every precaution possible to protect our members,” the Seattle credit union posted.

CSCU, one of the industry’s largest providers of payment systems, posted information on its website and sent emails to member credit unions by noon Thursday. CUNA Mutual Group and CO-OP Financial Services also sent risk alerts to member credit unions with more details of the breach and tips on mitigating potential risks.

Kristi Mackey, CSCU’s vice president for client services and products, said credit unions essentially have two options:

  • Don’t block and reissue cards. Instead, monitor transaction activity on accounts and encourage members to go online, monitor their own accounts and sign up for alerts. This option minimizes member inconvenience so close to Christmas, Mackey said, but it potentially subjects credit unions to greater fraud losses; or
  • Block and reissue a new account. This minimizes potential fraud losses, Mackey said, but could create reputational risk by causing inconvenience to members.

Phil Tschudy, media relations manager for CUNA Mutual Group, said Friday that his company is strongly recommending the second option. “Credit unions electing not to block and reissue (the impacted open card numbers) could experience magnetic stripe fraud in the future,” he said.

No matter which option they choose, credit unions should make sure their members are well-informed and understand their rights and obligations, the Northwest Credit Union Association said Thursday. David Curtis, the NWCUA’s director of compliance services, said credit unions should consider:

  • Assuring members that the credit union has security and monitoring policies in place, and that it is watching closely for suspicious activity. Tell what steps you will take if you find suspicious activity, or are taking if the situation has progressed to that point. Briefly share your method of direct contact with members so they will be informed of any suspicious activity on their cards. If the credit union plans on canceling all cards that were possibly affected and issuing new ones, it would be helpful to tell members before their cards are canceled.
  • Urging members to leverage the alert services that you offer on your cards. Consumers should monitor their transactions daily and should report anything suspicious to the card issuer. They can do so by using the 800 number on the back of the card. Credit unions may want to include an online link for members, too.
  • Informing members of the limitations in their liability for unauthorized transactions. Debit card liability is governed by Regulation E; credit cards follow the VISA and MasterCard limitations on liability. Stress to members that they need to report any unauthorized or suspicious transactions to the credit union as soon as they can.
  • Urging members to change passwords and PIN numbers if they notice suspicious activity. They may request that new cards be issued to them.
  • Summarizing briefly what is known about the current breach and updating with new information as needed. Within your statement, link to sites where the breach occurred, such as the retail chain, for more information.

“With credit unions still recovering from a recent card breach at Northwest grocery stores, the last thing they needed was a card breach at a nationwide retailer,” Curtis said. “Unfortunately, that appears to be what happened. Credit unions will want to contact their card processors immediately to help determine which of their members’ cards may have been compromised.”

Credit unions also can point their members to the Federal Trade Commission website at www.consumer.gov/idtheft, where they can report incidents of identity theft and learn how to protect themselves from future incidents. In addition, consumers can monitor their credit report once every 12 months for free; details are at www.AnnualCreditReport.com.

More information is available at Target’s corporate website, and in an NWCUA Fraud Alert issued Thursday.

 

Questions? Contact Gary Stein: 503.350.2216, gstein@nwcua.org.

Posted in Article Post.