Target, one of the largest U.S. retailers, issued a notice of a massive data breach that affects customers who used a payment card at Target stores in the U.S. during the busiest shopping weeks of the holiday season.
The company said that unauthorized access to the store’s payment data compromises roughly 40 million credit and debit card accounts that were used for purchases at Target stores from Nov. 27 to Dec. 15, 2013.
“We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code),” the retailer said in a notice on its website. The stolen card information is enough for cybercriminals to make fraudulent purchases.
The data breach was first reported by Krebs on Security, a security industry blog, which said that investigators suspected the card data was stolen via malicious software installed on Target’s payment terminals, where customers swiped their credit and debit cards.
Target did not say how the customer card information was stolen, but the company said it is working with a forensics team to investigate the incident. Financial institutions and federal authorities have been notified of the situation.
What affected customers should do
Knowing that their card numbers are no longer private, customers affected by the Target data breach may be quick to fix the situation by requesting changes to their account numbers. Such a move may not be necessary, because new account numbers would also require reconfiguring payments and transfers throughout one’s financial and billing accounts.
“The first thing is to not panic,” said Yaron Samid, CEO of BillGuard, a company that helps consumers monitor suspicious activity on their credit cards. “This is something that might not affect them in the next few days, but it could affect them in the next few months because their card numbers are in the hackers’ database or being sold on the black market.”
BillGuard identified users who had transactions at U.S.-based Target stores during the data breach window and alerted those users of the incident.
Samid advises affected consumers to extra vigilant for next few months and review statements very closely for “micro-charges” — small charges that are made to validate an active card account.
Various card protections will shield consumers in the event that fraudulent activity does occur. With credit cards, consumers are not responsible for any unauthorized purchases that occur. With debit cards, consumers are not liable for fraudulent charges if the charges are reported within 60 days.
“Typically, in cases like this, banks are very supportive of their customers in dealing with fraudulent activity,” Samid added.
On the first sign of suspicious activity, affected consumers should call their card issuer through the phone number on the back of their cards. Those with a Target REDcard should contact Target directly. Card issuers will reissue new cards with new account numbers.