By Jim Finkle and Siddharth Cavale
BOSTON (Reuters) – Target Corp said hackers might have stolen data from some 40 million credit and debit cards of shoppers who visited its stores during the first three weeks of the holiday season in the second-largest such breach reported by a U.S. retailer.
In terms of the speed at which the hackers were able to access large numbers of credit cards, the data theft was unprecedented. It took place in the 19 days from the day before Thanksgiving to Sunday, in the heart of the crucial Christmas holiday sales season.
Target, the No. 3 U.S. retailer, said on Thursday that it was working with federal law enforcement and outside experts to prevent similar attacks in the future. It did not disclose how its systems were compromised.
Experts said the incident could not have come at a worse time for Target, which is working to woo sales away from rivals in the last week of the holiday shopping season. Complaints from customers began to surface on social media as they learned of it early Thursday morning.
“Most of these attacks are just a cost of doing business,” said Mark Rasch, a former U.S. cyber crimes prosecutor. “But an attack that’s targeted against a major retailer during the peak of the Christmas season is much more than that because it undermines confidence.”
The largest breach against a retailer, uncovered in 2007 at TJX Cos Inc, led to the theft of data from more than 90 million credit cards over about 18 months.
Since then, companies have gotten far more adept at identifying intruders. But criminals have responded by developing more-powerful attack strategies, spending months on reconnaissance to launch highly sophisticated schemes with the goal of extracting as much data as they can in the shortest period of time.
Investigators believe that hackers compromised software installed on point-of-sales terminals that customers use to swipe magnetic strips on cards when paying for merchandise at Target stores, according to a person familiar with the investigation but not authorized to discuss the matter.
The company’s shares were down 1.9 percent at $62.32 on the New York Stock Exchange, while the Standard & Poor’s 500 stock index fell 0.2 percent.
Target warned customers in an alert on its website that the criminals had stolen names, payment card numbers, expiration dates and security codes.
The company had identified the breach on Sunday and had begun responding to it the same day, spokeswoman Molly Snyder said.
Krebs on Security, a closely watched security industry blog that broke the news on Wednesday, said the breach involved nearly all of Target’s 1,797 stores in the United States.
It is not yet clear how the attackers were able to compromise point-of-sales terminals at so many Target stores. “It is very clear it is a sophisticated crime,” Snyder said.
The U.S. Secret Service is working on the investigation, according to an agency spokeswoman. A Federal Bureau of Investigation spokeswoman declined to comment.
Unhappy customers began to weigh in early on Thursday, posting complaints on Target’s Facebook page.
“Thank you Target for nearly costing me and my wife our identities, we will never shop or purchase anything in your store again,” said one posting.
“Shop at Target, become a target,” remarked another. “Gee, thanks.”
JPMorgan Chase & Co, one of the biggest U.S. credit card issuers, said it was monitoring the accounts involved for suspicious activity and urged customers to contact the bank if they noticed any.
MasterCard and Visa officials had declined to comment late on Wednesday, after news of the breach surfaced. An American Express spokeswoman said the company was aware of the incident and was putting fraud controls in place.
Identity theft tips include:
- Check your credit card and debit card accounts regularly. Monitor your accounts to look for suspicious activity, such as charges you don’t remember making. If you find any errors, immediately notify your credit or debit card provider.
- Place an initial fraud alert on your credit report. Contact one of the three major credit reporting agencies — Experian, Equifax, or TransUnion — to place an initial fraud alert, which will stay on your credit report for 90 days. The alert is free of charge and will make it more difficult for someone to open credit in your name.
- Consider placing a security freeze on your credit report. A security freeze essentially puts a lock on your credit so that most third parties can’t access your report. This will help protect you from unauthorized accounts being opened in your name. Contact each credit reporting agency to place or to learn more about a security freeze.
- Check your credit report at www.annualcreditreport.com. You are entitled to one free credit report per year from each of the three major credit reporting agencies. You can pull all three at once, or you can stagger pulling your reports throughout the year.
(Reporting by Jim Finkle and Siddharth Cavale. Additional reporting by David Henry; Editing by Kirti Pandey, Rodney Joyce and Lisa Von Ahn)