The final weekend of Christmas sales is the worst possible time to have a security breach, but that’s what happened at Target. Sales are down at least three percent following a security breach in which hackers stole millions of credit cards.
Let’s back up a bit and review what happened.
40 Million Credit, Debit Cards Compromised
On December 19, Target disclosed that hackers gained access to as many as 40 million credit and debit cards used by customers of Target during the height of the holiday shopping season, in one of the biggest data breaches in history.
The Washington Post has details in Target says 40 million credit, debit cards may have been compromised
Company officials offered few details on the intrusion, which reportedly began the day before Thanksgiving and lasted until Sunday this week. Security experts said that the kind of information stolen – including names, card numbers, expiration dates and three-digit security codes – could allow criminals to make fraudulent purchases almost anywhere in the world.
The breach highlighted vulnerabilities in the massive, interconnected shopping systems used for billions of dollars of retail transactions every day. Customers at Target’s nearly 1,800 stores in the United States were potentially affected, though those who shopped online were not, the company said.
“Whatever money Target thought they were going to get during the holiday season just got flushed down the data-breach toilet,” said John Kindervag, an analyst and data security expert at Forrester, a research firm. He estimated that Target will have to spend at least $100 million to cover legal costs and to fix whatever went wrong.
Kindervag said the company will owe money to card brands, like Visa and American Express, that have to reimburse customers for fraudulent transactions. Target, based in Minneapolis and one of the nation’s largest retailers, also faces the risk of enduring damage to its reputation, according to analysts and consumer advocates.
The number of serious data breaches appears to be rising. This month, JPMorgan Chase disclosed that 465,000 of its card users’ data had been stolen after an attack on its the Web site for its prepaid card.
Stolen Cards for Sale on Black Market
Credit and debit card accounts stolen during a security breach involving retailer Target have reportedly flooded underground black markets, going on sale in batches of one million cards.
The cards are being sold from around $20 to more than $100 each, KrebsOnSecurity reports.
The security news site said it spoke to a fraud analyst at a major bank who said his team was able to buy a portion of the bank’s accounts from an online store advertised in cybercrime forums as a place where thieves can buy stolen cards.
The Target data theft is the second-largest credit card breach in U.S. history, exceeded only by a scam that began in 2005 involving retailer TJX Cos. That incident affected at least 45.7 million card users.
On Friday, Target reiterated that the stolen data included customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip found on the backs of cards, Target said.
Angry Target customers expressed their displeasure in comments on the company’s Facebook page. Some even threatened to stop shopping at the store.
Target hasn’t disclosed exactly how the breach occurred but said it has fixed the problem.
Traffic at Target Stores Down 3-4%
In the wake of the data breach, Traffic at Target Stores Down 3-4%
The number of transactions at Target slipped 3% to 4% compared with the final weekend before Christmas last year, estimates retail consultancy Customer Growth Partners LLC.
By contrast, transactions at other retailers were strong.
A spokeswoman for Target declined to comment specifically on this weekend’s results, saying the retailer reports sales on a quarterly basis. Target tried to limit the damage by offering a 10% discount to all customers in its U.S. stores over the weekend, and analysts said that effort helped.
“This is the worst possible time something like this could happen,” said Craig Johnson, president of Customer Growth Partners. His firm estimates that U.S. retail sales on Saturday totaled $17 billion, exceeding those on Black Friday by $2 billion.
The breach began Nov. 27 and wasn’t halted until Dec. 15.
J.P. Morgan Chase & Co. slapped daily spending limits on debit-cards that had been used at Target stores during the period in question. Citigroup Inc., meanwhile, in some cases may lower limits, block transactions and reissue cards for debit-card holders if it sees suspicious activity, a person familiar with the matter said Sunday.
Mike “Mish” Shedlock