NEW YORK - The security breach of credit and debit card data at Target Corp. is evidence of the increasing threats retailers face and a reminder that the U.S. lags behind much of the world in securing personal financial information, experts say.
Target, the second-largest U.S. discount chain, said Thursday that data for about 40 million debit and credit cards may have been wrongfully accessed from Nov. 27 to Dec. 15. Law enforcement, including the Secret Service, and the state attorneys general of New York and Massachusetts are looking into the matter.
The breach occurred when a computer virus infected Target’s point-of-sale terminals, said a person familiar with the matter who asked not to be identified because the investigation is private. Swiping cards had been considered safer than shopping online because the data are harder to steal, said Dan Kaminsky, co-founder and chief scientist at White Ops, a cybersecurity firm in New York.
“Attacks of this scale are common, but attacks that get this class of data are unusual,” Kaminsky said. “It’s a war out there.”
Although swiping devices have been hacked in the past, the incidents typically occurred at a single machine or store, not chainwide, Kaminsky said. Target said account numbers, expiration dates, cardholder names and credit verification value had been compromised. That kind of data could be used to make counterfeit credit cards, Kaminsky said.
Many nations have done away with the magnetic strips still used in the U.S. and moved to chips embedded in the cards that are harder to compromise. The U.S. payments industry has said it will replace magnetic strips by 2020; that deadline may be moved up in the wake of this incident, Kaminsky said.
Data breaches have hit other retailers in the past. TJX Cos., owner of the T.J. Maxx and HomeGoods chains, reported in 2007 that hackers broke into its computer system and stole about 45.7 million credit and debit card numbers. The theft set a record for such breaches. In 2009, the company paid $9.7 million in a settlement with 41 U.S. states over the loss of customer data.
In July, four Russians and a Ukrainian were charged in what prosecutors called the largest hacking scheme in U.S. history, a break-in of computers of retail chains that included 7-Eleven Inc., Carrefour SA and Wet Seal Inc. More than 160 million credit card numbers were stolen.
Global card fraud losses for banks, merchants and processors climbed 15 percent to $11.3 billion last year from 2011, according to The Nilson Report, a payments-industry newsletter based in Carpinteria, Calif.
Molly Snyder, a spokesman for Target, declined Friday to comment on the cause of the breach, citing the ongoing investigation.
Target has 1,797 stores in the U.S. and 124 in Canada. The stock had gained 5 percent this year, compared with a 42 percent gain for the Standard & Poor’s 500 retailing index.
The breach came after the chain had already cut its annual forecast for same-store sales growth to 1 percent from as much as 2.5 percent in August. Doubts about its security could reduce purchases and the number of people who sign up for a REDcard, its inhouse credit and debit cards, said Ken Perkins, an analyst for Morningstar Inc. in Chicago. Those cardholders are the retailer’s biggest spenders, he said.
Jami Aspenwall, a 36-year old mother of five from Cartersville, Ga., said she canceled her Target-issued debit card after someone made $500 in purchases with it. Those losses will now force her to postpone a trip to Tampa, Fla., to see relatives for Christmas because her bank said it may take two weeks to get the money back.
“We’ll have to sit down with the kids tonight and tell them, ‘your trip is likely on hold,’” said Aspenwall, a stay-at-home mother of children from 3 to 18 years old. “I don’t want to ruin their Christmas. It’s not their fault.”
Shoppers at Target.com might be spooked, too. A link across the top of the site Thursday said: “important notice: unauthorized access to payment card data in U.S. stores.”
The credit-card companies said they were aware of the breach and were working with Target and law enforcement. Representatives from Discover Financial Services, Visa Inc., MasterCard Inc., American Express Co. and JPMorgan Chase & Co. said customers wouldn’t be responsible for fraudulent purchases made on their accounts.
In a letter posted on its website, Target encouraged customers to report any unusual activity on their accounts to their financial institutions. Target also said customers could call the company for assistance.
The retailer’s customers took to social media to voice displeasure about the breach and not being able to contact the company about their REDcard accounts.
One was Stephanie Manzano, a 28-year-old from Federal Way, Wash., who swore off Target after learning that data had been compromised. She canceled her Target debit card after not being able to reach the retailer’s customer service. She now plans to shop at Wal-Mart Stores Inc.
“It’s very stressful,” Manzano said. “I kept calling Target, and I just got a busy signal. While I’m trying to call them, someone could take my identity and take my money. … We’re a one-income household; we can’t afford that.”
Target is working to fix online access to account information, Snyder said. She didn’t respond to a separate request for comment on reports of fraudulent charges and canceled cards.
Information for this article was contributed by Paul Jarvis, Steven Komarow, Margaret Talev, Fanni Koszeg and Elizabeth Dexheimer of Bloomberg News.
Business, Pages 27 on 12/21/2013