Retailers are an appealing target for hackers during the holidays, and Target may be learning that lesson the hard way. According to Krebs on Security, the US retail giant is investigating a major breach that could potentially involve "millions" of customer credit and debit card records. The sophisticated hack reportedly took place over several weeks — starting on Black Friday and possibly extending all the way through December 15th — and is said to involve "nearly all" Target stores in the United States.
Krebs says the breach "involves the theft of data stored on the magnetic stripe of cards used at the stores." Online orders are said to be unaffected. Still, it sounds like a worst case scenario for Target and its shoppers, with Krebs writing:
The type of data stolen — also known as "track data" — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs.
Thus far Target has offered no comment on the rumored breach, nor any direct confirmation of a hack. An anti-fraud analyst at a "top-ten US bank card issuer" made the situation sound dire, telling Krebs, "We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized." We have reached out to the company for more details.
Update 2: Target has now confirmed the data breach. Up to 40 million card accounts may have been affected between November 27th and December 15th. In a press release, the company says it "alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts."