The December 2022 issue of IEEE Spectrum is here!

Close bar

Target Hack Stole Millions of Credit and Debit Cards

Countless customers’ data misused before the retailer sheepishly admits that it put them at risk

2 min read
Target Hack Stole Millions of Credit and Debit Cards
Photo: Joe Raedle/Getty Images

Hello, Target shoppers. Just in time for the holidays, your credit card data has been compromised. And according to Brian Krebs, the purloined information has been “flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card.” Krebs, who broke the story on his blog, Krebs On Security, on Wednesday, says that:

“[A bank, having been notified that a "card shop" with a reputation as a reliable source for stolen credit and debit cards] had recently alerted its loyal customers about a huge new batch of more than a million quality dumps that had been added to the online store…browsed this card shop’s wares and effectively bought back hundreds of the bank’s own cards.”

But here’s the kicker:

“When the bank examined the common point of purchase among all the dumps it had bought from the shady card shop,” says Krebs, “it found that all of them had been used in Target stores nationwide between Nov. 27 and Dec. 15. Subsequent buys of new cards added to that same shop returned the same result.”

The day after Krebs’ revelation, the retailer issued a statement confirming that the customer information for roughly 40 million credit and debit cards swiped at Target stores between 27 November and 15 December had been, well, swiped. The company initially thought that the period over which the breach yielded stolen payment card information ended on 6 December, but as the investigation into the break-in continued, those hopes were dashed.

The team looking into the breach says it has found nothing to indicate that Target’s online customers were affected. What’s not known at this time is whether the hackers were able to gather PIN information for debit transactions. If they did, it would be possible to make phony cards that could empty bank accounts by withdrawing cash from ATMs.

Why the bricks-and-mortar and not the e-commerce customers? Though nothing has been confirmed, computer security experts suspect that the attackers went for the retailer’s point-of-sale (POS) system, the point of entry seen as the weakest link. The vulnerability of point-of-sale systems lies in the fact that they’re “usually running a standard OS and thus subject to exploits and zero-day attacks if exposed to a malware delivery channel such as a browser, a compromised POS management system, patch system or worse, from an insider,” Mark Bower, vice president of product management at Voltage Security, said in a statement. “In use, POS systems should be isolated from other networks to restrict access to payment data flows, but often are connected to many systems. As a POS and checkout are in constant use especially around high volume periods like Black Friday, they are less frequently patched and updated and thus vulnerable,” says Bower. 

Target will get a chance to explain exactly how it happened in court. A Bloomberg Businessweek article says that a California resident affected by the data breach has already filed a lawsuit against the company. The complaint asserts that, “Target failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach.” The plaintiff, says the article, is looking to make it into a class-action suit.

Furthering the indignity, the retailer's online systems and call centers have been overwhelmed by a torrent of customers trying to find out more about the attack and to determine whether they had been affected, according to the StarTribune—the hometown newspaper of Minneapolis, Minnesota,-based Target.

The Conversation (0)

Why Functional Programming Should Be the Future of Software Development

It’s hard to learn, but your code will produce fewer nasty surprises

11 min read
A plate of spaghetti made from code
Shira Inbar

You’d expectthe longest and most costly phase in the lifecycle of a software product to be the initial development of the system, when all those great features are first imagined and then created. In fact, the hardest part comes later, during the maintenance phase. That’s when programmers pay the price for the shortcuts they took during development.

So why did they take shortcuts? Maybe they didn’t realize that they were cutting any corners. Only when their code was deployed and exercised by a lot of users did its hidden flaws come to light. And maybe the developers were rushed. Time-to-market pressures would almost guarantee that their software will contain more bugs than it would otherwise.

Keep Reading ↓Show less