Target Data Breach
Phil Coale/AP
By Jim Finkle
and David Henry


BOSTON and NEW YORK -- Hackers who attacked Target and compromised up to 40 million credit cards and debit cards also managed to steal encrypted personal identification numbers, according to a senior payments executive familiar with the situation.

One major U.S. bank fears that the thieves would be able to crack the encryption code and make fraudulent withdrawals from consumer bank accounts, said the executive, who spoke on the condition of anonymity because the data breach is still under investigation.

Target (TGT) spokeswoman Molly Snyder said "no unencrypted PIN data was accessed" and there was no evidence that PIN data has been "compromised." She confirmed that some "encrypted data" was stolen, but declined to say if that included encrypted PINs.

"We continue to have no reason to believe that PIN data, whether encrypted or unencrypted, was compromised. And we have not been made aware of any such issue in communications with financial institutions to date," Snyder said by email.
"We are very early in an ongoing forensic and criminal investigation."

The No. 3 U.S. retailer said last week that hackers stole data from as many as 40 million cards used at Target stores during the first three weeks of the holiday shopping season, making it the second-largest data breach in U.S. retail history.

Target hasn't said how its systems were compromised, though it described the operation as "sophisticated." The U.S. Secret Service and the Justice Department are investigating. Officials with both agencies have declined comment on the investigations.

The attack could end up costing hundreds of millions of dollars, but it is unclear so far who will bear the expense.

While bank customers are typically not liable for losses because of fraudulent activity on their credit and debit cards, JPMorgan Chase (JPM) and Santander Bank said they have lowered limits on how much cash customers can take out of teller machines and spend at stores.

The unprecedented move has led to complaints from consumer advocates about the inconvenience it caused from the late November Thanksgiving holiday into the run-up to Christmas. But sorting out account activity after a fraudulent withdrawal could take a lot more time and be worse for customers.

JPMorgan has said it was able to reduce inconvenience by giving customers new debit cards printed quickly at many of its branches, and by keeping branches open for extended hours. A Santander spokeswoman wasn't available for comment Tuesday.

Security experts said it is highly unusual for banks to reduce caps on withdrawals, and the move likely reflects worries that PINs have fallen into criminal hands, even if they are encrypted.

"That's a really extreme measure to take," said Avivah Litan, a Gartner analyst who specializes in cyber security and fraud detection. "They definitely found something in the data that showed there was something happening with cash withdrawals."

Breaking the Code

While the use of encryption codes may prevent amateur hackers from obtaining the digital keys to customer bank deposits, the concern is the coding can't stop the kind of sophisticated cyber criminal who was able to infiltrate Target for three weeks.

Daniel Clemens, CEO of Packet Ninjas, a cyber security consulting firm, said banks were prudent to lower debit card limits because they won't know for sure if Target's PIN encryption was infallible until the investigation is completed.

As an example of potential vulnerabilities in PIN encryption, Clemens said he once worked for a retailer who hired his firm to hack into its network to find security vulnerabilities. He was able to access the closely guarded digital "key" used to unscramble encrypted PINs, which he said surprised his client, who thought the data was secure.

In other cases, hackers can get PINs by using a tool known as a "RAM scraper," which captures the PINs while they are temporarily stored in memory, Clemens said.

The attack on Target began on Nov. 27, the day before the Thanksgiving holiday and continued until Dec. 15. Banks that issue debit and credit cards learned about the breach on Dec. 18, and Target publicly disclosed the loss of personal account data on Dec. 19.

On Dec. 21, JPMorgan, the largest U.S. bank, alerted 2 million of its debit cardholders that it was lowering the daily limits on ATM withdrawals to $100 and capping store purchases with their cards at $500.

On Monday, the bank partly eased the limits it had imposed Saturday, setting them at $250 a day for ATM withdrawals and $1,000 a day for purchases. (The usual debit card daily limits are $200 to $500 for cash withdrawals and $500 for purchases, a bank spokeswoman said last week.)

On Monday, Santander -- a unit of Spain's Banco Santander -- followed suit, lowering the daily limits on cash withdrawals and purchases on Santander and Sovereign branded debit and credit cards of customers who used them at Target when the breach occurred. Santander didn't disclose the new limits, but said it was monitoring the accounts and issuing new cards to customers who were affected.

The largest breach against a U.S. retailer, uncovered in 2007 at TJX Cos. (TJX), led to the theft of data from more than 90 million credit cards over about 18 months.

-Additional reporting by Dhanya Skariachan in New York; writing by Paritosh Bansal.


Increase your money and finance knowledge from home

Introduction to Retirement Funds

Target date funds help you maintain a long term portfolio.

View Course »

Building Credit from Scratch

Start building credit...now.

View Course »

Add a Comment

*0 / 3000 Character Maximum

65 Comments

Filter by:
H

Don't forget to look at these Target sites:

http://targetfiling.blogspot.com/
http://targetpayandbenefits.blogspot.com
http://beckfordvtarget.blogspot.com/
http://diaz-target.blogspot.com/
http://targetccguidelines.blogspot.com/
http://targetguidelines.blogspot.com/
http://targetapdirectives2006.blogspot.com/
http://www.citmedialaw.org/threats/target-corp-v-doe
http://targetstoressucks.blogspot.com/
http://www.ihatetarget.net/

February 26 2014 at 9:37 AM Report abuse rate up rate down Reply
biffula

My wife did some Christmas shopping at Target during the hacked time frame. She went to the bank and got a new debit card. If you have shopped at Target in the past year and haven't already cancelled your old card and gotten a new one, you get what you deserve. Worrying about your pin # in this situation is worthless. There are ways the hackers can use that card without your pin. Wake up sheeple.

January 01 2014 at 1:40 PM Report abuse rate up rate down Reply
Rae Lynn

Each time I read an article about this situation, I have an image of bankers, retailers and bank customers wringing their hands, not knowing what to do. Yes, it is a violation to have your account information hacked, but really folks, there is a simple solution. If you KNOW you shopped at Target during the dates released, then simply contact your institution, cancel the cards attached to the accounts and have new cards issued with new PIN numbers. My husband traveled through LaGuardia airport in February. Apparently, someone read his magnetic strip. In April we received a call from one of credit card companies asking if we had shopped in California recently. We had not, so the card was cancelled and a new one issued. It never occured to us to sue anyone and a prompt solution was provided. Why do people act so entitled over everything?

December 27 2013 at 7:42 PM Report abuse rate up rate down Reply
M

It may be somehow related that sometime last century (before 2000, yes, *sigh*, I am that old...) Target was issuing their own cards with the smart chips in them. They also issued their card customers the devices and software to use with those cards, and the customers\' own computers.

This would be interesting for several reasons:

1) If Target *had* their own staff doing the card work and security, that could have led to disgruntled former employees with insider information.

2) Since security experts claim that Smart Cards are THE most difficult to breach their security, the hackers at large may have taken that as a challenge. If so, what better way to discourage such an approach than causing a BIG scandal? If it was big enough, the security and IT people would be/are humiliated, and very possibly placed under suspicion. A wholesale *housecleaning* of those two groups would almost certainly cause a significant delay in implementing those Smart Cards, and open an opportunity to plant new employees in those positions, as infiltrators with bad intentions.

Hmmmm, and the breach *coincidentally* occured during THE heaviest period of usage, and grabbed disproportionately huge amounts of data during a relatively short period of time when the experts would likely be managing the heavy traffic of holiday shopping, and less likely to notice something unusual. I cannot imagine that was a coincidence... *Sophisticated* is a word I think is appropriate; amatuer hackers get in whenever they can, lacking at least that level of planning.

Infiltrators? Yes.
Remember that the NSA *leaker*, Snowden, passed the security checks, which I would hope is both more thorough and detailed than a typical employment background check for a retail company.

December 27 2013 at 6:31 AM Report abuse +1 rate up rate down Reply
weirdo

"The attack could end up costing hundreds of millions of dollars, but it is unclear so far who will bear the expense."

Take a wild guess....

December 27 2013 at 5:49 AM Report abuse rate up rate down Reply
Welcome King

It took them three weeks to catch on to the fact that someone was stealing personal data.

December 26 2013 at 11:37 PM Report abuse rate up rate down Reply
Oceana6695

I guess those prepaid visa cards that you can load at the store with cash might be the way to go when holiday shopping. Credit cards should only be used in case of emergency (fixing the car, ect..) or to buy airline tickets.

December 26 2013 at 9:56 PM Report abuse -1 rate up rate down Reply
BaraBara Dominicano

http://tecnologiageek.com/hackers-roban-millones-monedas-virtual-dogecoins/

this happen in all usa..

December 26 2013 at 5:17 PM Report abuse rate up rate down Reply
frankfv8

in all of this the Bank wins they restrict how much money You get to take out or purchase with Your card knowing than not many will apply for a new 1 quickly so they get to use Your money and get interest on it .. they get more out of it than the hackers

December 26 2013 at 12:37 PM Report abuse -1 rate up rate down Reply
1 reply to frankfv8's comment
M

Actually, the interest is a trivial gain compared to the possible loss of *ALL* the fraudulent withdrawals and purchases. Sure, there is a small chance the banks might be able to sue Target to recover some small part of those losses, but that\'s not very likely.

In summary, it is not that the banksters *win*, as much as they do NOT intend to *lose* big. (It seems bad PR *may not* cost them as much as the possible losses from doing nothing...)

A co-worker had a renewal credit card apparently taken from his mailbox, and fraudulently used by a neighborhood teenager. (The kid was smart/knowledgable enough to limit the purchases (at that tiime) to less than the amount that would be verified through the card processors.) I don\'t know for sure, but it is likely that all uses are currently verified through the card processors now, but the lesson he, and all his co-workers, learned is that the card is the property of the issuer, not the holder!!

Why is that important? Both the police and the bank told him that even if the kid waved the stolen card in his face, HE (the authorized cardholder) had NO standing to do anything to the thief. That was because the card was the card issuer\'s property, not his. (And there was little doubt it was one kid, because he was wearing the items that were fraudulently purchased! The police needed the bank to complain, and the bank was NOT interested in receiving the name and address of the thief, apparently because it would cost them more to file a complaint with the police and get the thief prosecuted!!! It was both cheaper and MUCH quicker to cancel the card, issue a new card to the authorized user, and reverse the fraudulent charges...

The bad news for the victim of the card theft and fraudulent use?
He had no credit card to use during that time, (about three weeks), the card limit was reached, affecting both his minimum payments, interest rate, AND his credit rating, and ONLY the minimum payments and interest rates could be restored by fighting the bank. That credit rating could/(did?) affect all of his other loans and cards, (including reducing his limits and increasing interest rates), but can take six months for the effects to be felt.
YIKES!!!

December 27 2013 at 5:46 AM Report abuse rate up rate down Reply
birdeeputter

Thats the problem with this world everyone uses plastic. If you use cash no one knows how much cash use have on you unless you tell them. The government hates cash, its easy for them and the IRS to track every purchase you make. Use cash, simple

December 26 2013 at 12:34 PM Report abuse +1 rate up rate down Reply