Target (NYSE:TGT) announced Thursday morning that it identified and resolved the problem involving stolen data from about 40 million of its customers’ credit and debit cards over a three week period, but the retailer’s problems are far from over. According to American Banker, the thieves are now selling the card account information as fast as they can on underground sites, and for them, time is of the essence, because the U.S. Secret Service is already on the case, financial institutions are already thinking about canceling cards, and some cards are already due to expire. Security blogger and expert Brian Krebs explains, “The guys who stole them can’t offload them fast enough, because 5-10 percent of [the cards] are about to expire. There’s a fire sale going on right now — they lose value for every day they don’t sell them.”
It is still unclear how hackers got the card information, but Target knows that 40 million accounts from shoppers who visited Target between November 27 and December 15 were compromised, and the criminals were able to obtain basic account data listed on the magnetic stripes of the cards, including name, account number, and card expiration data. Krebs first leaked the news of the security breach on Wednesday night, and then Target confirmed the news Thursday morning, leading to a drop of Target shares in pre-market trading.
According to American Banker, Target won’t release information explaining how it was hacked until the retailer is confident the security breach can’t happen again. But unfortunately, considering the attack affected all of Target’s 1,800 stores, that could take a while — and consumers may decide to avoid Target locations until the complications are worked out. Brian Sozzi, CEO of Belus Capital Advisors, explained to Reuters Thursday, “While this search for the truth is happening, the issue damages the trust Target have gained in mobile and calls into question how sales trend in January.”
Nonetheless, Target will remain tightlipped about its investigation with a third-party forensics firm until the retailer is sure it has identified the issue. As for Krebs, he gave American Banker an interview Thursday and explained, “My best guess is [Target] got hit by hackers who got into their network, and were able to push malicious software out to the point of sale systems. We probably won’t know for certain for weeks or months.”
So now, card issuers will need to decide how they will respond in the short term. Because there is a strong likelihood that card fraud will take place with the stolen data, issuers are already considering canceling all of the affected cards, or even frequenting the underground forums to learn more about the theft. American Banker explains that the data breach could have far-reaching implications. With the compromised data, thieves can not only duplicate the cards, they can also used them at ATMs and POS terminals if the affected cards are debit cards. Even Target’s Red card can be used for debit or credit if customers tie their bank account information to the card, further complicating the problem.
Thus, it is clear that Target got more than it bargained for this holiday season, and its fellow retailers will need to take note of what has happened to their competitor and ensure they don’t suffer the same fate. It’ll be interesting to see how all parties respond, including Target, card issuers, and other retailers, but Krebs maintains, “A lot of issuers will take a wait-and-see approach. They’re probably getting inundated with calls from people who shop at Target who are freaking out about what to do. The last thing they want to do is cancel these people’s cards around Christmas. I’m positive Target would much rather have seen this come out on December 26.”