In one of the largest breaches of consumer data security in American history, Target — the nation’s second-largest “big box” discount retail chain — reported that the credit and debit card information of 40 million customers were stolen. This data belonged to the shoppers who purchased from the store from Nov. 27 to Dec. 15.
It is unknown at this time if online shoppers were affected. The data thieves stole the customer names, credit or debit card numbers, expiration dates and three-digit CCV security codes that were received via card swipes during the 19-day period.
While it is unknown who is behind the attack or how it was done, it is suspected that Target was hacked. It is believed that the thieves chose the holiday season — which is traditionally the busiest season for retail — to strike, knowing that the store’s normal fraud-detection system would already be overtaxed by normal transactions.
Such thefts have become common in recent years. In 2007, T.J. Maxx was hit by a 90 million customers’ data theft and in 2009; Heartland Payment Systems was attacked with the largest single data theft recorded — 130 million stolen credit card records.
KrebsonSecurity has reported that the stolen Target customer data have been found being sold on the black market in batches of one million cards — selling between $20 to over $100 per card.
With the credit card record, a hacker can encode a fake credit card and — with information obtained through public records, such as birth dates and addresses — can assume a cardholder’s online identity.
If an affected customer swiped a debit card and used a PIN code to make a purchase, and that information is included in one of the bundles, a hacker would have full access to the customer’s bank account.
The Target case represents a scenario in which both the customer and the store could have done everything right, but still the worst happened because the system failed.
When customers swipe their cards into a card reader, it is sent to the store’s computer, which sends a copy to the servicing bank for authorization and servicing. This data travels from the store to the bank via telephone-carrier trunk lines, which are routed through a series of hubs and switches. A hacker can intercede at any unsecured point along this route.
With the number of data breaches increasing and with companies not being required to inform customers of such breaches — as long as the company made an attempt to encode customer data with at least basic encryption — it is important that consumers are proactive about their own data security.
Credit reports should be obtained at least annually and thoroughly searched. Purchases should be checked against credit card and bank statement at least monthly. When handing your credit card to a clerk for purchases, it should always stay in sight. The clerk should not take the card underneath the counter, turn her back to you while in possession of the card, write down any card information or run the card through anything other than the card reader.
In addition, card readers that look loose, unusual in design, doctored or otherwise manipulated or seem atypical in anyway should not be used. Scamming devices — which record card swipes — or pinhole cameras can easily be installed in gas pumps, ATM machines and vending machines.
Finally, consumers must recognize that they could be directly targeted and take steps — including protecting their purse or wallet from pickpockets and RFID-proofing your cards.
But ultimately, the best many can do in light of such aggressive data theft is to be aware of one’s own vulnerability and take the proper steps if and when a personal data theft occurs.
“There’s not a great deal customers can do, other than take the necessary steps, like changing passwords, credit card numbers if they have been informed of a breach,” said Michael Sutton, a vice president for research at ZScaler, a security company. “Beyond that, they can take proactive steps like shopping with reputable vendors.
“Then again,” he added. “Here we are talking about one of the largest retailers in the United States. No one is immune.”