Breach a risk for 40 million Target-goers

Case of shopper-data theft is 2nd-largest for a retailer

Arkansas Democrat-Gazette/MELISSA SUE GERRITS 12/19/13 - Target off Chenal Parkway December 19, 2013.
Arkansas Democrat-Gazette/MELISSA SUE GERRITS 12/19/13 - Target off Chenal Parkway December 19, 2013.

Target Corp. said Thursday that data connected to about 40 million of its customers’ credit and debit card accounts was stolen as part of a breach that began over the Thanksgiving weekend.

The retailer said customers who made purchases by swiping their cards at terminals in its U.S. stores between Nov. 27 and Sunday may have had their accounts exposed. The stolen data includes customer names, credit and debit card numbers, card expiration dates and the three-digit security codes on the backs of cards.

Information was taken from Target store brand cards and major card brands such as Visa and MasterCard.

The data breach did not affect online purchases, the company said.

Target’s acknowledgement came a day after news reports surfaced that the discounter was investigating a breach. A security blogger, Brian Krebs, first reported the theft Wednesday.

The retailer hasn’t disclosed how the theft of data occurred, but said it has fixed the problem and credit card holders can continue shopping at its stores.

Target, which has 1,797 stores in the U.S. and 124 in Canada, said it immediately told authorities and financial institutions once it became aware of the breach on Sunday. The company has hired a forensics firm to investigate and prevent future breaches. Brian Leary, a spokesman for the Secret Service, which investigates financial fraud, said the agency was investigating.

The data theft marks the second-largest credit card breach in the U.S. after retailer TJX Cos. announced in 2007 that at least 45.7 million credit and debit card users were exposed to credit card fraud.

Target advised customers Thursday to check their credit card and bank statements carefully. Those who see suspicious charges on the cards should report them to their credit card companies and call Target at (866) 852-8680.

“We encourage everyone to be vigilant,” even if Target shoppers haven’t noticed suspicious activity on their credit card accounts, a Target spokesman said.

“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” Chairman, President and Chief Executive Officer Gregg Steinhafel said in a statement Thursday.

“A data breach is of itself a huge reputational issue,” said Jeremy Robinson-Leon, a principal at Group Gordon, a corporate and crisis public relations firm. He said Target needs to send the message that it’s working with customers to answer questions. He believes Target should have acknowledged the problem on Wednesday rather than waiting until early Thursday.

Target’s challenges come as U.S. retailers gear up for the end of a Christmas shopping season that ShopperTrak predicts will be the slowest since 2009. The last thing Target needs as rivals pour on discounts in a last-ditch grab for market share is for its customers to wonder if they should use their debit or credit cards, said Ken Perkins, an analyst for Morningstar Inc. in Chicago.

“The timing could be a concern, especially only a few days before Christmas,” he said.

Many displeased Target customers left angry comments on the company’s Facebook page Thursday. Some threatened to stop shopping at the store. Many customers complained they couldn’t get through to the call center and couldn’t access Target’s branded credit card website. Target apologized on its Facebook page and said it is “working hard ” to resolve the issue and is adding more workers to field the calls and help solve website issues.

Christopher Browning, 23, of Chesterfield, Va., said he was the victim of credit card fraud earlier this week and he believes it was tied to a purchase he made at Target with his Visa card on Black Friday. However, he called Visa on Thursday and the card issuer couldn’t confirm his theory. He said he hasn’t been able to get through to Target’s call center.

On Monday, Browning received a call from his bank’s anti-fraud unit saying that there were two attempts to use his credit card in California - one at a casino in Tracey for $8,000 and the other at a casino in Pacheco for $3,000. Both occurred on Sunday and both were denied. He canceled his credit card and plans to use cash.

“I won’t shop at Target again until the people behind this theft are caught or the reasons for the breach are identified and fixed,” Browning said.

Brianna Byrnes, 22, of Kansas City, Mo., a student at the University of Missouri-Kansas City and a call center worker, said she made a Target purchase during the affected period.

She said the situation made her “a little bit” nervous but was still planning to shop for toys at the retailer.

“I’ve never had anyone steal my identity. I guess it’s taking a risk.”

The incident is particularly troublesome for Target because it has used its branded credit and debit cards as a marketing tool to lure shoppers with a 5 percent discount.

The company said during its earnings call in November that as of October some 20 percent of store customers have the Target branded cards. Households that activate a Target-branded card have increased their spending at the store by about 50 percent on average, the company said.

“The fact this breach can happen with all of their security in place is really alarming,” said Avivah Litan, a security analyst with Gartner Research.

Litan said Target and other retailers spend millions of dollars each year on credit card security measures. Given Target’s heavy security, Litan said she believes the theft may have been an inside job.

Target Corp. stock dipped $1.40, or 2.2 percent, to close Thursday at $62.15.

Information for this article was contributed by Anne D’Innocenzio, Michelle Chapman and Bree Fowler of The Associated Press; by Nicole Perlroth and Elizabeth A. Harris of The New York Times; and by Matt Townsend, Lindsey Rupp and Lauren Coleman-Lochner of Bloomberg News.

Front Section, Pages 1 on 12/20/2013

Upcoming Events