Target probe eyes overseas hackers; stolen cards for sale online

WASHINGTON Fri Dec 20, 2013 8:43pm EST

Merchandise baskets are lined up outside a Target department store in Palm Coast, Florida, December 9, 2013. REUTERS/Larry Downing

Merchandise baskets are lined up outside a Target department store in Palm Coast, Florida, December 9, 2013.

Credit: Reuters/Larry Downing

Related Topics

WASHINGTON (Reuters) - Investigators believe that overseas hackers were responsible for the cyber attack on U.S. retailer Target Corp that compromised up to 40 million payment cards during the first three weeks of the holiday shopping season, a person familiar with the matter said on Friday.

The person, who was not authorized to talk publicly about the matter, declined to say how the hackers got in or where investigators believe they are based, saying investigators don't want to show their hand to the criminals.

Meanwhile the blogger who first broke news of the breach, Brian Krebs, reported that data stolen from Target had begun flooding underground markets that sell stolen credit cards.

KrebsOnSecurity.com reported on Friday that cards stolen from Target were being offered at "card shops" for rates starting at $20 each and going to more than $100.

Target has said that hackers accessed data on up to 40 million payment cards over 19 days through Dec 15 in the second-largest retail breach in U.S. history. It is not known who is behind the attack or how they accessed Target's network.

A Secret Service spokesman declined to comment on the investigation, which the agency is running.

The retailer reported the breach on Thursday, a day after Krebs broke news of the attack. Target has declined to say how its systems were compromised and has provided few other details about the case.

Target sought to reassure customers that it was safe to shop at its stores and encouraged them to do so by offering 10 percent discounts off most merchandise on Saturday and Sunday, the last weekend before Christmas.

"We're in this together, and in that spirit, we are extending a 10 percent discount - the same amount our team members receive," Chief Executive Gregg Steinhafel in a statement on Target's website.

Groceries are eligible for the discount, though video games, gift cards, mobile phones and a few other items are excluded.

Steinhafel said the company would offer free credit monitoring services and downplayed the impact the breach might have on customers.

"We want our guests to understand that just because they shopped at Target during the impacted time frame, it doesn't mean they are victims of fraud," he said. "In fact, in other similar situations, there are typically low levels of actual fraud."

He promised that the customers would "not be held financially responsible for any credit or debit card fraud."

However, Carol Spieckerman, president of retail strategy firm newmarketbuilders, raised doubts about whether the discounts would be good enough to win back shoppers. "In the absence of a definitive status update on the breach, the promotions make it seem as though Target isn't addressing its customer's concerns," she said.

"Target needs to reassure its customers that the breach is over and that any transactions that occurred after December 15th are secure," Spieckerman said.

Separately, Target spokeswoman Molly Snyder said in a written statement that "we are hearing very few reports of actual fraud."

She said stolen information was limited to data stored on the magnetic strip.

The hackers did not obtain PIN numbers used to access ATMs or the three or four-digit security codes that are printed on cards to verify online purchases, Snyder said.

She also said Target has provided exposed card numbers to Visa, MasterCard, Discover and American Express. Those companies are in turn providing the information to the financial institutions that issue them. (Reporting by Mark Hosenball, Dhanya Skariachan,Jim Finkle and Varun Aggarwal; Editing by Steve Orlofsky, Bob Burgdorfer, Andrew Hay and Ken Wills)

FILED UNDER:
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (7)
What payment methods are being accepted by these sellers of stolen credit card information?

Dec 20, 2013 8:56pm EST  --  Report as abuse
Ah, never mind. The Krebs post indicates they are accepting payment via “Bitcoin, Litecoin, WebMoney and PerfectMoney, as well as the more traditional wire transfers via Western Union and MoneyGram”.

Dec 20, 2013 9:03pm EST  --  Report as abuse
chekovmerlin wrote:
Statements from Target are just phony. 1) When I was hijacked by a person who stole my numbers in Home Depot, Home Depot (In Southern California and Florida). hadn’t a clue. Neither did TJMaxx in Florida. VISA notified me because they were monitoring my card along will millions of other VISA cards. Cards are worthless now or go for about $1.00 2) The cards are probably worthless within two days of the announcement because people have been notified, VISA, MC, AMEX, DISCOVER have received notice even before the media. That they don’t register pins on Debit Cards on the magnetic strip is not really true. What gives TARGET the information to say this I don’t know, but people in the industry have told me on several occasions never to use my pin and treat the card like a credit card. The magnetic strip logs the expiration date, name of the holder, mailing address, etc.

Dec 20, 2013 10:22pm EST  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.