By Jim Finkle and Dhanya Skariachan
BOSTON Dec 19 Target Corp said hackers
have stolen data from up to 40 million credit and debit cards of
shoppers who visited its stores during the first three weeks of
the holiday season in the second-largest such breach reported by
a U.S. retailer.
The hackers worked at unprecedented speed, carrying out
their operation from the day before Thanksgiving to this past
Sunday, 19 days that are the heart of the crucial Christmas
holiday sales season.
Target, the third-largest U.S. retailer, said on Thursday
that it was working with federal law enforcement and outside
experts to prevent similar attacks in the future. It did not
disclose how its systems were compromised.
The retailer was alerted its systems might have been
compromised by credit card processors who had noticed a surge in
fraudulent transactions involving credit cards that had been
used at Target, according to a person familiar with the
investigation who was not authorized to discuss the matter.
The timing of the breach could not have been worse for
Target, coming just before three of the four busiest days of
what has been a bruising holiday season for retailers, with the
highest level of discounting in years. Target last month lowered
its profit forecast for the year.
"Most of these attacks are just a cost of doing business,"
said Mark Rasch, a former U.S. prosecutor of cyber crimes.
"But an attack that's targeted against a major retailer
during the peak of the Christmas season is much more than that
because it undermines confidence."
Investigators are still trying to understand how the attack
was carried out, including whether hackers found a weakness at
Target's computer network or through credit card services
vendors. It was not immediately clear what percent of the
transactions at its brick and mortar stores had been compromised
but the company said its online business had not been affected.
Massachusetts Attorney General Martha Coakley, who headed a
multi-state probe into a 2007 data breach at TJX Cos, said in a
statement that her office was talking to Target about the breach
and planned to work with other Attorneys General to determine
whether the company had proper safeguards in place.
New York Attorney General Eric Schneiderman said in a public
statement that he had asked Target for more information.
A customer in California filed a class-action lawsuit
against the company late on Thursday, the first of what lawyers
said could be many such suits.
Samantha Wredberg said in a court filing that she was a
regular shopper at Target and had used her credit card at a
company store on Dec. 8. Besides seeking damages, Wredberg asked
the court to certify the lawsuit as class action.
She also asked the court to explore whether "Target
unreasonably delayed in notifying affected customers
of the data breach".
The theft of credit and debit card data from Target
customers could end up costing hundreds of millions of dollars,
but it is unclear who will bear the expense, lawyers and
industry sources said.
The affected payment cards include Target's REDcard private
label debit and credit cards as well as other bank cards, Target
spokeswoman Molly Snyder said. She declined to say if the
incident was affecting store traffic.
The largest breach against a U.S. retailer, uncovered in
2007 at TJX Cos Inc, led to the theft of data from more
than 90 million credit cards over about 18 months.
Since then, companies have become far more adept at
identifying intruders. But criminals have responded by
developing more-powerful attack strategies, spending months on
reconnaissance to launch sophisticated schemes with the goal of
extracting as much data as they can in the shortest period of
Representatives for J.C. Penney Co Inc, Wal-Mart
Stores Inc, Best Buy Co Inc and Home Depot Inc
told Reuters they believed their systems had not been
compromised in similar attacks.
Target will provide more details on costs related to the
issue at a later date, Snyder said. She declined to comment when
asked if Target expected potential fines from MasterCard,
Visa and American Express or saw a possible
increase in merchant fees.
"It's so early in this investigation," Snyder said.
Avivah Litan, a Gartner analyst who specializes in
cyber-security and fraud detection, saw costs for Target. "They
are going to pay for any fraud on the card," she said. "They
will get fined (by card issuers) for non-compliance with payment
card security standards. Their merchant fee will probably go up
a few basis points."
Target's shares closed down 2.2 percent at $62.15 on the New
York Stock Exchange on Thursday afternoon, while the Standard &
Poor's 500 stock index fell 0.06 percent.
Target warned customers in an alert on its website that the
criminals had stolen names, payment card numbers, expiration
dates and security codes.
The company had identified the breach on Sunday and had
begun responding to it the same day, Snyder said. She declined
to explain why the retailer waited until Thursday to alert
Krebs on Security, a security industry blog that broke the
news on Wednesday, said the breach involved nearly all of
Target's 1,797 stores in the United States.
The U.S. Secret Service is working on the investigation,
according to an agency spokeswoman. A Federal Bureau of
Investigation spokeswoman declined to comment.
Customers began to complain early on Thursday via Target's
"Thank you Target for nearly costing me and my wife our
identities, we will never shop or purchase anything in your
store again," said one posting.
"Shop at Target, become a target," remarked another. "Gee,
Target's Snyder said it had been getting an "extremely high"
volume of calls from customers.
JPMorgan Chase & Co, one of the biggest U.S. credit
card issuers, said it was monitoring the accounts involved for
suspicious activity and urged customers to contact the bank if
they noticed any.
An American Express spokeswoman said the company was
aware of the incident and was putting fraud controls in place.
Major card brands typically offer their cardholders zero
liability and cardholders should contact their issuer if they
spot suspicious transactions, a Visa spokesman said, adding that
a breached account did not necessarily result in a fraudulent
"This could hurt the end of the holiday season if for no
other reason than many of their customers have to cancel cards
ahead of holidays," said Janney Capital Markets analyst David
The breach also comes at a time Target is trying to build
its online business, which by some estimates is only 2 percent
"All consumers will hear is that Target is not a safe place
to use your credit card. That impacts trust, which in turn can
impact retail's fastest-growing and most trust-sensitive touch
points: online and mobile," said Carol Spieckerman, president of
retail strategy firm newmarketbuilders.
Still, consumers tend to have short memories with these
things, so it will likely be less of an issue next quarter, said
Gartner analyst Litan.
"(Consumers) care more about discounts than security," she
The case is Samantha Wredberg vs Target Corp, Case No.
13-cv-05901, U.S. District Court, Northern District of