US retailer Target confirms up to 40 million cards tainted by data breach

19 Dec, 2013 11:19 / Updated 11 years ago

One of the largest American retailers Target has confirmed that a massive breach of security involving the credit card details of up to 40 million Target customers took place between the end of November and the middle of December.

The breach was thought to have begun around Black Friday, on November 27th and was only brought to a close on December 15th.

“We take this matter very seriously and are working with law enforcement to bring those responsible to justice,” Target chairman, Gregg Steinhafel stated.

On Wednesday evening, the Secret Service announced they were looking into the matter.

“The Secret Service will confirm it is investigating the incident at Target,” security spokesperson Brian Leary told USA Today.

The Target security breaches purportedly involved the stealing of information from the magnetic strip on the back of credit and debit cards through point-of-sale systems.

The systems, used by Target and thousands of other stores across America to process card transactions, are an optimum target for cybercriminals, and they are often thought to involve company employees. The complicit worker would have to insert malware into the computer system processing the sales, or could have been encouraged to click a link which resulted in the downloading of malware.

Target has over 1,800 stores across the US and Canada.

Similar security breaches have been seen across the US this year, with 63 Barnes and Noble stores nationwide falling subject to attack, causing the chain to switch off all 7,000 keypads in its several hundred stores.

Mike Donovan, Global Focus Group Leader for security company Beazley Breach Response, told USA Today that the problem was widespread across all company sizes. “You see the stories about the big ones in the news, but breaches are affecting companies all across the board,” he said.

“Any company that handles personal data is vulnerable,” Donovan said.

The security breach was first reported by Brian Krebs, a security blogger, on December 13th.

He cited “multiple [unnamed] reliable sources” at two different top 10 credit card issuers - nearly a week before Target confirmed the security breach themselves.

Krebs quoted one of them as saying “We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized.”