40 million credit card numbers stolen from Target

Yet another major cyber attack has resulted in a database of over 40 million credit card numbers being taken by unknown hackers. The victim is the retailer Target and the numbers were lifted between November 27th to December 15th, which include "Black Friday" and "Cyber Monday", two of the biggest shopping days of the year.

Krebs on Security first reported on the theft on Wednesday and the incident was later confirmed by Target. It stated, "We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code)."

The company said Target customers should review their credit card statements closely to see if there is any unusual activity and report any suspicious to their financial institutions. It added that it has contacted law enforcement authorities to investigate this breach and also brought in an unnamed "leading third-party forensics firm" to examine what happened and what steps Target can take to prevent similar incidents in the future. So far, the company has not offered to give customers access to free one year identity theft protection as other corporations have done in the past with similar database attacks.

A recent panel during the HP Discovery event in Paris revealed that the average time for a security breach to be detected after it happens is 243 days, and that the vast majority of them are found by a third party rather than the victim.

Source: Krebs on Security and Target | Image via Target

Report a problem with article
Previous Story

Microsoft hints at the future of Bing Maps

Next Story

Bill Gates is not your average "Secret Santa"

45 Comments

Commenting is disabled on this article.

This is all Obama's fault. I just know it. All the stolen money is waiting for him in Hawaii. You'll see. Mark my words.

COKid said,
This is all Obama's fault. I just know it. All the stolen money is waiting for him in Hawaii. You'll see. Mark my words.

If this happens, he won't be a president again for next term.

I read most of Target's responses to this situation and basically they are saying there is no need to panic, cancel cards or try to sue them. According to them, everyone needs to stay calm and be vigilant by monitoring all activity on their cards constantly until they spot something suspicious. So basically wait until your money is stolen and *then* panic. Hilarious.

Well you can either cancel your card now, or just monitor it if your card has fraud management it should be spotted. With 40 million affected each person can't be handled individually in one day

COKid said,
Their Facebook page is a good read, at least. I love a good rant.

Seems to be a lot of ranty women and then Target doing an object lesson in social media failure by rolling out dozens of pre-written messages. Canned/scripted responses on "social" media is epic comedy.

Do people not realize that even if target had 100,000 people on the phones (which they don't) and 40 million people were to call, they would still get put on hold for a very long time.

Edited by warwagon, Dec 19 2013, 8:27pm :

I quite love the entitlement storms. Its Like people think the guys at the social media department are going to phone over to customer service and open up the lines just for one person. Do these people not realize everyone is trying to phone in at the same time.

I just checked my vendor list in Quickbooks, Target is not in that list. I've never used Target online and I can't remember the last time I was in an actual target store.

Why doesn't Target inform individual people affected by this so we can get new debit cards?

Should we as consumers get new debit cards every time some company is hacked? Since it seems to happen every month now, should I be getting new debit cards 12 times a year?

It's a week before xmas, why should I cancel my card and wait a week before the new one comes? Most people will be on vacation next week, and can't afford to not have their debit cards wile away on vacation.

Target needs to compensate everyone for this.

Edited by Brandon C., Dec 19 2013, 7:20pm :

While I agree with the fact that Target needs to compensate people if it was proven to be there fault. Ie not someone hacked their credit card processor and then forced malicious software into the system.

I don't agree with the debit card thing. Seriously debit cards don't have the same security features that credit cards do and nor do they have the same laws. Credit cards have pretty strict fraud protection laws. Debit cards usually don't. People seem to think that they're safer to use because you have a 4 digit pin protecting you, but they really aren't. And if someone gets a hold of your PIN you have 0 protection. The bank isn't legally obligated to refund your money if your card and PIN were stolen and used.

This hack didn't happen on stored data...this happened at the point of sale machine when your card was swiped. Someone managed to upload malicious software to the POS machine you swipe your card on. Because of that whenever someone swiped their card, all the data thats stored on the magnetic stripe was sent to the thieves.

-Razorfold said,
This hack didn't happen on stored data...this happened at the point of sale machine when your card was swiped. Someone managed to upload malicious software to the POS machine you swipe your card on. Because of that whenever someone swiped their card, all the data thats stored on the magnetic stripe was sent to the thieves.

Target, pls.

Stop spamming the company line.

1) We don't know that for a fact and it sounds like an excuse for Target to not pay the $100,000 per incident ($100,000 x 40 million = bankruptcy).

2) The fact the card number left my card and was in the possession of Target's payment device (not matter at what stage of the electronic process) means that Target was in control and in possession of my CC data. They are 100% accountable for this violation.

Brian Miller said,
1) We don't know that for a fact and it sounds like an excuse for Target to not pay the $100,000 per incident ($100,000 x 40 million = bankruptcy).

2) The fact the card number left my card and was in the possession of Target's payment device (not matter at what stage of the electronic process) means that Target was in control and in possession of my CC data. They are 100% accountable for this violation.


What? JC Penney had 46 million credit card numbers stolen in 2007 , they did not shell out anywhere near 4.6 trillion dollars.

security experts say hackers targeted the retailer's point-of-sale system. That means they either slipped malware into the terminals where customers swipe their credit cards, or they collected customer data while it was on route from Target to its credit card processors.

Last I checked security experts do not equal Target. And guess what? Most stores don't usually own / process their own payments, an outside agency usually does that.

This is why retailers don't need to store credit card info.
I used to work for a retailer that didn't store, we had no reason to track users shopping habits.
It also drove me crazy when people wanted to do returns, they would always assume we had their credit card number on file so they could do the return with out it. Then they would get mad at us because we didn't have it on file or that they left it at home. The convenience in returns is not worth the risk in my opinion

Except this hack didn't happen on stored data...this happened at the point of sale machine when your card was swiped. Someone managed to upload malicious software to the POS machine you swipe your card on. Because of that whenever someone swiped their card, all the data thats stored on the magnetic stripe was sent to the thieves.

How does the encryption work then for credit card numbers.
I know with our POS systems, the numbers were encrypted right at swipe, and our systems were sonic walled from the internet.

With the larger retailers, do they not encrypt because of them storing the numbers in the databases?

wv@gt said,
How does the encryption work then for credit card numbers.
I know with our POS systems, the numbers were encrypted right at swipe, and our systems were sonic walled from the internet.

With the larger retailers, do they not encrypt because of them storing the numbers in the databases?


No idea. But if the hack happened right at the point of sale, then it doesn't matter if the data was encrypted before it was sent.

Ie if someone installed malicious software on the credit card machines themselves, as soon as you swiped the card it would copy down the information and send it to the thieves, then send it to the credit card processor.

Were the 40 million card details stored in plain text? Doesn't appear to say, however I guess so otherwise I imagine the announcement would have said at least the details were encrypted.

Either way its becoming a bit of a joke now...

notchinese said,

This was from IN STORE purchases, by tampering with the point of sale machines.

Then how did they get the CVV codes? They are only necessary for card holder not present transactions (like online) not in store ones. And even then they are *NOT* to be stored. Ever.

notchinese said,

This was from IN STORE purchases, by tampering with the point of sale machines.

I like the way -Razorfold, abbreviated that "point of sale" machines above. Made it sound more like correct! He put POS, which we ALL know what that one means!!

I don't think I've ever even been in a Target store, so no worries for me.

wow full details for 40 million people, someone out there hit the jackpot

It's crazy that they were able to get all the info they needed for fraud and repeat it 40 million times and they didn't notice.

I am 100% sure my account was amongst them since we shop at Target for groceries at least once a week. What next? This is kind of scary that something like this could have been going on for weeks before anyone noticed.

KeR said,
I am 100% sure my account was amongst them since we shop at Target for groceries at least once a week. What next? This is kind of scary that something like this could have been going on for weeks before anyone noticed.

If it is a debit card I would contact your bank today and have the card numbers changed.

LogicalApex said,

If it is a debit card I would contact your bank today and have the card numbers changed.

This is the right course of action. If you suspect that you might have gotten caught in this, you should get in touch with your bank to get new cards.

They store credit card details because it helps them track what you buy at their stores and then they mail you coupons based on your spending habits.

In this case, however, it's thought (at least according to the news) that the thieves were able to upload the software to target's point of sales system. That way when you swiped your cards, all the details were transmitted to both the banks and the thieves.

-Razorfold said,
They store credit card details because it helps them track what you buy at their stores and then they mail you coupons based on your spending habits.

I'm a software developer, and although I've never had to write credit card processing code, my understanding is that there is never, ever any legitimate reason for a store to hang onto the 3-digit security code (for starters). They certainly don't need that if the purpose is to track what you buy and send you coupons.

_dandy_ said,

I'm a software developer, and although I've never had to write credit card processing code, my understanding is that there is never, ever any legitimate reason for a store to hang onto the 3-digit security code (for starters). They certainly don't need that if the purpose is to track what you buy and send you coupons.


Except this hack didn't happen on stored data...this happened at the point of sale machine when your card was swiped. Someone managed to upload malicious software to the POS machine you swipe your card on. Because of that whenever someone swiped their card, all the data thats stored on the magnetic stripe was sent to the thieves.

-Razorfold said,

Except this hack didn't happen on stored data...this happened at the point of sale machine when your card was swiped. Someone managed to upload malicious software to the POS machine you swipe your card on. Because of that whenever someone swiped their card, all the data thats stored on the magnetic stripe was sent to the thieves.

Do we know all of this for a fact already? I never trust early reports.