The security breach of credit- and debit-card data at Target Corp. (TGT) is evidence of the increasing threats retailers face and a reminder that the U.S. lags behind much of the world in securing personal financial information.
Target, the second-largest U.S. discount chain, said yesterday that data for about 40 million debit and credit cards may have been wrongfully accessed from Nov. 27 to Dec. 15. Law enforcement, including the U.S. Secret Service and the state attorneys general of New York and Massachusetts are looking into the matter. The chain said today that there have been few reports of fraud and that customers won’t be held responsible for any that took place.
The breach occurred when a computer virus infected Target’s point-of-sale terminals, said a person familiar with the matter who asked not to be identified because the investigation is private. Swiping cards had been considered safer than shopping online because the data is harder to steal, according to Dan Kaminsky, co-founder and chief scientist at White Ops, a cybersecurity firm in New York.
“Attacks of this scale are common, but attacks that get this class of data are unusual,” Kaminsky said. “It’s a war out there.”
Target issued a statement today from Chief Executive Officer Gregg Steinhafel extending a 10 percent discount to guests who shop in U.S. stores on Dec. 21 and Dec. 22. It also offered free credit reporting and assured customers that they would not be held responsible for fraudulent charges. Steinhafel apologized for shoppers’ difficulties reaching its customer service department.
“The issue has been identified and eliminated,” Steinhafel said of the breach. “We recognize this has been confusing and disruptive during an already busy holiday season.”
Separately, Target agreed to provide a year of free credit monitoring to New York victims of the breach, the New York attorney general said today.
While card-swiping devices have been hacked in the past, the incidents typically occurred at a single machine or store, not chain-wide, which is why this breach is troubling, Kaminsky said. Target said account numbers, expiration dates, cardholder names and credit verification value, or CVV, had been compromised. That kind of data could be used to make counterfeit credit cards, Kaminsky said.
Many nations have done away with the magnetic strips still used in the U.S. and moved to chips embedded in the cards that are harder to compromise. The U.S. payments industry has said it will replace magnetic strips by 2020; that deadline may be moved up in the wake of this incident, Kaminsky said.
Data breaches have hit other retailers in the past. TJX Cos., owner of the T.J. Maxx and HomeGoods chains, reported in 2007 that hackers broke into its computer system and stole about 45.7 million credit and debit card numbers. The theft set a record at the time for such breaches. In 2009, the company paid $9.7 million in a settlement with 41 U.S. states over the loss of customer data.
In July, four Russians and a Ukrainian were charged in what prosecutors called the largest hacking scheme in U.S. history, a break-in to computers of retail chains that included 7-Eleven Inc., Carrefour SA and Wet Seal Inc. and more than 160 million credit card numbers.
Global card fraud losses for banks, merchants and processors climbed 15 percent to $11.3 billion last year from 2011, according to the Nilson Report, a payments industry newsletter based in Carpinteria, California.
Target’s security and public-relations challenges come as U.S. retailers gear up for the end of a holiday shopping season that ShopperTrak predicts will be the slowest since 2009. The last thing Target needs as rivals pour on discounts in a last-ditch grab for market share is for its customers to wonder if they should use their cards, said Ken Perkins, an analyst for Morningstar Inc. in Chicago.
“The timing could be a concern, especially only a few days before Christmas,” he said in an interview.
Molly Snyder, a spokeswoman for Target, declined to comment on the cause of the breach, citing the investigation.
Target, which has 1,797 stores in the U.S. and 124 in Canada, rose 0.5 percent to $62.49 at the close in New York after falling 2.2 percent yesterday. The stock has gained 5.6 percent this year, compared with a 43 percent gain for Standard & Poor’s 500 Retailing Index.
The breach came after the chain had already cut its annual forecast for same-store sales growth to 1 percent from as much as 2.5 percent in August. Doubts about its security could reduce purchases and the number of people signing up for a REDcard, its in-house credit and debit cards, Perkins said. Those cardholders are the retailer’s biggest spenders, he said.
Jami Aspenwall, a 36-year-old mother of five from Cartersville, Georgia, said she canceled her Target-issued debit card after someone made $500 in purchases with it. Those losses will now force her to postpone a trip to Tampa, Florida, to see relatives for Christmas because her bank said it may take two weeks to get the money back.
“We’ll have to sit down with the kids tonight and tell them your trip is likely on hold,” said Aspenwall, a stay-at-home mother of kids ranging from 3 to 18 years old. “I don’t want to ruin their Christmas. It’s not their fault.”
Shoppers at Target.com might be spooked, too. A link across the top of the site yesterday read: “important notice: unauthorized access to payment card data in U.S. stores.”
“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence,” Steinhafel said yesterday in a statement.
The credit-card companies said they were aware of the breach and were working with Target and law enforcement. Representatives from Discover Financial Services, Visa Inc., MasterCard Inc., American Express Co. and JPMorgan Chase & Co. all said customers wouldn’t be responsible for fraudulent purchases made on their accounts.
In a letter posted on its website, Target encouraged customers to report any unusual activity on their accounts to their financial institutions. Target also said customers could call the company for assistance.
The retailer’s customers took to social media to voice displeasure about the breach and not being able to contact the company about their REDcard accounts.
One was Stephanie Manzano, a 28-year-old from Federal Way, Washington, who swore off Target after learning that data had been compromised. She canceled her Target debit card after not being able to reach the retailer’s customer service. She now plans to shift her shopping to Wal-Mart Stores Inc.
“It’s very stressful,” Manzano, a mother of a special-needs child, said in a phone interview. “I kept calling Target, and I just got a busy signal. While I’m trying to call them, someone could take my identity and take my money. With a special-needs child, you’re worried about your finances. We’re a one-income household, we can’t afford that.”
Target said today that it has quadrupled capacity of its REDcard online account-management site and is adding capacity to its call center.
To contact the reporters on this story: Matt Townsend in New York at firstname.lastname@example.org; Lindsey Rupp in New York at email@example.com; Lauren Coleman-Lochner in New York at firstname.lastname@example.org
To contact the editor responsible for this story: Robin Ajello at email@example.com