Approximately 40 million credit and debit card details are said to be at risk.
According to a statement issued by the company, customers should check their accounts carefully for suspicious or unusual activity, after hackers managed to access shoppers’ names and credit card details.
Part of the statement reads:
We wanted to make you aware of unauthorized access to Target payment card data. The unauthorized access may impact guests who made credit or debit card purchases in our U.S. stores from Nov. 27 to Dec. 15, 2013. Your trust is a top priority for Target, and we deeply regret the inconvenience this may cause. The privacy and protection of our guests’ information is a matter we take very seriously and we have worked swiftly to resolve the incident.
We began investigating the incident as soon as we learned of it. We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code).
Brian Krebs, who first reported the news of the data breach on his blog, said that the attack appears to have begun around Black Friday 2013, the day after Thanksgiving, and the busiest shopping day of the year.
According to Krebs, sources confirmed to him that the breach extends to nearly all Target stores across the country.
An obvious fear will be that the criminals will use the stolen data to create counterfeit credit and debit cards, and plunder customers’ bank accounts. Hence the importance of keeping a close eye on your accounts and card statements if you were shopping at Target recently. Target offers further advice to potentially affected customers on its website.
To be frank, this security breach sounds pretty bad. And if customers are impacted in their wallets, it will be a PR nightmare for Target.
In many ways, it has echoes of the infamous TJ Maxx security breach of 2007, where many millions of credit card details were nabbed by a gang of hackers. In that case, the criminals exploited weak WiFi encryption used by the stores to make off with the valuable data.
We don’t, however, know the facts yet about how the criminals broke into Target’s computer network. Nonetheless, this is probably as good a time as any to underline to retailers just how essential it is that they do everything in their power to protect their customers’ information.
Here are some tips if you’re a retailer:
- Keep computers that store sensitive data, such as customer records, separate from your public facing website and servers.
- Ensure that sensitive data can be accessed by only those employees who actually need access to it.
- All sensitive data should be securely encrypted. There are more ways to lose data than via an electronic breach. Misplaced or stolen computers, CDs and USB drives can all be sources of information for criminals.
- Harden your website so it is not vulnerable to attacks such as SQL injection.
- Ensure that all points of your network – on all of your sites – are protected by good quality up-to-date security software, control the use of USB sticks, and deploy web security filtering in place to keep employees safe when they’re online.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.