Up to 40 million Target shoppers put at risk after massive credit-card data breach

Graham Cluley
Graham Cluley
@[email protected]

Target storeAnyone who shopped at Target between 27 November and 15 December is being told to be on their guard, after the North American retailer admitted they had been the victim of a massive data breach.

Approximately 40 million credit and debit card details are said to be at risk.

According to a statement issued by the company, customers should check their accounts carefully for suspicious or unusual activity, after hackers managed to access shoppers’ names and credit card details.

Part of the statement reads:

Dear Guest,

We wanted to make you aware of unauthorized access to Target payment card data. The unauthorized access may impact guests who made credit or debit card purchases in our U.S. stores from Nov. 27 to Dec. 15, 2013. Your trust is a top priority for Target, and we deeply regret the inconvenience this may cause. The privacy and protection of our guests’ information is a matter we take very seriously and we have worked swiftly to resolve the incident.

We began investigating the incident as soon as we learned of it. We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code).

Statement from Target

Brian Krebs, who first reported the news of the data breach on his blog, said that the attack appears to have begun around Black Friday 2013, the day after Thanksgiving, and the busiest shopping day of the year.

According to Krebs, sources confirmed to him that the breach extends to nearly all Target stores across the country.

Sign up to our free newsletter.
Security news, advice, and tips.

An obvious fear will be that the criminals will use the stolen data to create counterfeit credit and debit cards, and plunder customers’ bank accounts. Hence the importance of keeping a close eye on your accounts and card statements if you were shopping at Target recently. Target offers further advice to potentially affected customers on its website.

To be frank, this security breach sounds pretty bad. And if customers are impacted in their wallets, it will be a PR nightmare for Target.

In many ways, it has echoes of the infamous TJ Maxx security breach of 2007, where many millions of credit card details were nabbed by a gang of hackers. In that case, the criminals exploited weak WiFi encryption used by the stores to make off with the valuable data.

We don’t, however, know the facts yet about how the criminals broke into Target’s computer network. Nonetheless, this is probably as good a time as any to underline to retailers just how essential it is that they do everything in their power to protect their customers’ information.

Here are some tips if you’re a retailer:

  • Keep computers that store sensitive data, such as customer records, separate from your public facing website and servers.
  • Ensure that sensitive data can be accessed by only those employees who actually need access to it.
  • All sensitive data should be securely encrypted. There are more ways to lose data than via an electronic breach. Misplaced or stolen computers, CDs and USB drives can all be sources of information for criminals.
  • Harden your website so it is not vulnerable to attacks such as SQL injection.
  • Ensure that all points of your network – on all of your sites – are protected by good quality up-to-date security software, control the use of USB sticks, and deploy web security filtering in place to keep employees safe when they’re online.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.