Target Black Friday 2013 Fraud Update: Data Breach Much Bigger Than First Reported, May Top 100,000,000 Records

Target Black Friday 2013: Target said that the number of customers the Black Friday breach surged by another 70 million more than the originally reported 40 million.Target also broadened the range of information that was stolen to include "guest information' as well as customer information.


Target says the Black Friday data breach could reach up to 100 million records. This figure puts the Target Black Friday breach in the statoshphere of Adobe and Sony hack attacks. 


Target says cybercriminals stole 40,000,000 payment card records. The megachain announced "As part of Target's ongoing forensic investigation, it has been determined that certain guest information - separate from the payment card data previously disclosed - was taken from Target. This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals. sucked up by cybercriminals."


The Target announcement said "Guests will have zero liability for the cost of any fraudulent charges arising from the breach. To provide further peace of mind, Target is offering one year of free credit monitoring and identity theft protection to all Target guests who shopped our U.S stores. Guests will have three months to enroll in the program. Additional details will be shared next week."


The Target Black Friday hackers may be able to reproduce credit and debit cards and use them to withdraw cash from ATMs. Target Black Friday stolen data included names, numbers, expiration dates and data taken from the magnetic strip when credit or debit cards are swiped.   40 million credit and debit card customers were affected when Target, the nation's second-retailer, was hit by a data breach. Customers who shopped at Target after Thanksgiving through Dec. 15 are susceptible to fraud. 


Krebs on Security says that the data breach extends to "nearly all Target locations nationwide." Multiple reports reveal Target shoppers may be at risk. The Wall Street Journal has independently confirmed the Target Black Friday breach. WSJ reported that roughly 40,000 card devices at store registers may have been affected. 


Target said some customers have been unable to use its gift cards because they weren't fully activated. 


Target's announcement comes less than two weeks after disclosing the Black Friday 2013 security breach of its credit- and debit-card system.In an email,  Molly Snyder, a spokeswoman for Target said "We are aware that some Target gift cards were not fully activated and apologize for the inconvenience."


Snyder said that less than 0.1 percent of the cards sold during the Black Friday 2013 period were affected. Target will honor the affected cards. 


Target has been working to retain customers' loyalty after Black Friday 2013. Target said data related to shoppers' personal identification numbers was stolen. 

Target admitted that some encrypted data had been pulled by Black Friday hackers including encrypted debit card PIN data was stolen in the Black Friday 2013 security breach.

Target says its encryption system would not give the Black Friday hackers access to the encryption key. Target says only the external payment processor can access that kind of information

A Target spokesperson said "While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed. We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems."

Criminals are already selling Target customers' credit and debit card data on the black market. A single card can fetch up to $100. Consumer watchdogs urge customers who shopped at Target during the Black Friday time period to check their credit card statements. Custoners should change their PIN in the aftermath of the massive breach that happened at Target Stores on Black Friday.

People who shopped at Target between Black Friday and the beginning of December should look for any purchases, no matter how small, that might show fraudsters using their account. Target customers are also being urged to contact their banks to request a replacement card and change their PIN. 

Santander Bank caps on customer purchases and withdrawals made with compromised credit and debit cards. Chase also imposed a money limit.

The Target Black Friday breach was caused by malware on store point-of-sale systems. Target is cooperating with the fed, including the braches Secret Service and Department of Justice. At the request of law enforcement Target is withholding additional details, but said its legal team held a conference call with most states' attorneys general on Monday afternoon.

Target hired a private firm to review its information security. Two U.S. senators urged consumer protection agencies to investigate to Black Friday breach.On Saturday JPMorgan Chase contacted about 2 million affected debit card members Saturday and said they would be limited to a maximum of $100 cash withdrawals and $300 in purchases per day. Chase put daily cash and spending limits on debit cards that were used at Target stores that could be susceptible to fraud. In the middle of Christmas shopping season Chase spokeswoman Kristin Lemkau said less than 10 percent of Chase customers are affected.

Target's CEO Gregg Steinhafel apologized and said Target added workers to field calls and help solve website issues. Target is also offering free credit-monitoring services to those who've been affected by the issue.

Target reiterated that the stolen data included customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip found on the backs of cards.

Target Hackers got encrypted PIN data. Hackers who stole data at Target stores on Black Friday reportedly accessed the associated encrypted personal identification numbers (PINs) too. The numbers could be used to make fraudulent withdrawals. 

Reuters quoted "a senior payments executive familiar with the situation." Target says that unencrypted PINs were not accessed during Black Friday breach and that there was no evidence that PINs were compromised. The Secret Service and Justice Department are investigating.


Target downplayed the breach. Target spokeswoman Molly Snyder said  "We continue to have no reason to believe that PIN data, whether encrypted or unencrypted, was compromised. And we have not been made aware of any such issue in communications with financial institutions to date. We are very early in an ongoing forensic and criminal investigation."


Stolen credit and debit card accounts are already flooding underground black markets. The cards were stolen during a security breach at Target stores starting on Black Friday 2013.  The cards are being sold in batches of one million cards.
According to KrebsOnSecurity, the Target Black Friday cards are being sold from around $20 to more than $100 each. The Target Black Friday incident is the second-largest credit card breach in U.S. history. In 2005 at least 45.7 million card users were scammed in a breach involving retailer TJX Cos.


KrebsOnSecurity is a security news site that has been on top of the Target Black Friday breach. KrebsOnSecurity says there are hundreds of online stores worldwide that sell stolen credit and debit cards from banks. Their reporters spoke to a fraud analyst at a major bank. The analyst said his team infiltrated an online store that advertised in cybercrime forums. The store advertised itself as a place where thieves can buy stolen cards. The fraud analayst was able to buy a portion of the bank's accounts. 

Tags
world news
Target
target black friday 2013
Fraud
data breach
Join the Discussion

Latest Photo Gallery

Real Time Analytics