By Mark Hosenball and Dhanya Skariachan
WASHINGTON Dec 20 Investigators believe that
overseas hackers were responsible for the cyber attack on U.S.
retailer Target Corp that compromised up to 40 million
payment cards during the first three weeks of the holiday
shopping season, a person familiar with the matter said on
The person, who was not authorized to talk publicly about
the matter, declined to say how the hackers got in or where
investigators believe they are based, saying investigators don't
want to show their hand to the criminals.
Meanwhile the blogger who first broke news of the breach,
Brian Krebs, reported that data stolen from Target had begun
flooding underground markets that sell stolen credit cards.
KrebsOnSecurity.com reported on Friday that cards stolen
from Target were being offered at "card shops" for rates
starting at $20 each and going to more than $100.
Target has said that hackers accessed data on up to 40
million payment cards over 19 days through Dec 15 in the
second-largest retail breach in U.S. history. It is not known
who is behind the attack or how they accessed Target's network.
A Secret Service spokesman declined to comment on the
investigation, which the agency is running.
The retailer reported the breach on Thursday, a day after
Krebs broke news of the attack. Target has declined to say how
its systems were compromised and has provided few other details
about the case.
Target sought to reassure customers that it was safe to shop
at its stores and encouraged them to do so by offering 10
percent discounts off most merchandise on Saturday and Sunday,
the last weekend before Christmas.
"We're in this together, and in that spirit, we are
extending a 10 percent discount - the same amount our team
members receive," Chief Executive Gregg Steinhafel in a
statement on Target's website.
Groceries are eligible for the discount, though video games,
gift cards, mobile phones and a few other items are excluded.
Steinhafel said the company would offer free credit
monitoring services and downplayed the impact the breach might
have on customers.
"We want our guests to understand that just because they
shopped at Target during the impacted time frame, it doesn't
mean they are victims of fraud," he said. "In fact, in other
similar situations, there are typically low levels of actual
He promised that the customers would "not be held
financially responsible for any credit or debit card fraud."
However, Carol Spieckerman, president of retail strategy
firm newmarketbuilders, raised doubts about whether the
discounts would be good enough to win back shoppers. "In the
absence of a definitive status update on the breach, the
promotions make it seem as though Target isn't addressing its
customer's concerns," she said.
"Target needs to reassure its customers that the breach is
over and that any transactions that occurred after Dec. 15th are
secure," Spieckerman said.
Separately, Target spokeswoman Molly Snyder said in a
written statement that "we are hearing very few reports of
She said stolen information was limited to data stored on
the magnetic strip.
The hackers did not obtain PIN numbers used to access ATMs
or the three or four-digit security codes that are printed on
cards to verify online purchases, Snyder said.
She also said Target has provided exposed card numbers to
Visa, MasterCard, Discover and American
Express. Those companies are in turn providing the
information to the financial institutions that issue them.