Why Target shoppers shouldn't stress about credit card hack

Millions of Target customers were potentially the victims of a massive credit card theft.

Target is saying this morning that about 40 million credit and debit cards were compromised in a giant data theft that occurred at nearly all of Target’s 1,800 locations during the Black Friday weekend. So far it seems like only people who shopped at a brick and mortar store—the data breach doesn’t seem to have affected online shoppers.

The crime may have involved hacking into the actual machines stores use to swipe cards. “If we look at previous breaches, it’s likely the bad guys got in via some kind of internal access to the store,” says online security expert Brian Krebs, who broke the story. “It could even be physical access to the store.” Krebs says a big TJ Maxx data breach back in 2007, where 45 million cards were compromised, started with two guys sitting in their car in a store’s parking lot with an antennae pointed at the store’s wireless network.

The data theft hit customers on Black Friday and seems to have lasted for a couple of weeks—until December 15th.

If you were a Target shopper during that time, Krebs says you probably shouldn’t worry. He says consumers are not liable for fraud on their card, though banks might reissue some cards proactively.

He says the real monetary hit will be to Target. “They’re going to face fines and they’re going to face lawsuits from card issuers like Visa and Mastercard,” says Krebs. “And Target’s going to pay a lot of money to banks because of this.”

Krebs said Target has actually been very proactive with security, but it’s really hard to stay ahead of these criminals. 

About the author

Stacey Vanek Smith is a senior reporter for Marketplace, where she covers banking, consumer finance, housing and advertising.
Log in to post2 Comments

To add to what Jeh1 said, I wish to clarify that neither the credit card issuers nor the banks are the ones that take the dollar loss of the stolen items. It is the retail stores themselves that swallow the loss. So the person at the credit card company who said that they add the cost of the losses into the 2-3% charge they require businesses to pay them in order to accept credit cards at their store was not correct. What happens is that the money the retail business received at the time of the purchase gets taken back from the store by the bank once the fraud has been detected and deemed to be truly a fraudulent purchase by the credit card issuer. I know how this works because I used to work in the 'chargeback' department of a major cc issuer. So while the credit card issuer does not lose the dollar amount of the stolen merchandise, the credit card issuer does have the expense of staffing and running their fraud departments. I just wanted to make this distinction clear.

Exactly two years ago someone bought $1000 TV at a Target store about 20 miles from our home while we were 100 miles away. When they tried to buy another $900 item, the card company called me to confirm it, which I of course denied. They said the second purchase was denied but the first one OKed, so it would be some time before it gets removed from my statements.
Thus began one of the strangest situations I have ever been involved in.
When I got home, I called the store and was directed to the security person at the store. I knew the exact time of the purchases so I asked him if he had video of the checkout. He checked while I was on the phone, confirmed that the person making the transactions was visible. He said he would immediately burn a CD of the video but he could not give it to me, but only to the police. He said I needed to file a police report.
I duly went to the nearest police station and said I wanted to file a report of credit card fraud. The receptionist laughed at me. I finally got her to have someone in the department involved in fraud talk to me. I was told that the department was not interested in credit card fraud and would not let me file a report. If they took these kinds of reports, she said, they would be getting 50-100 every day and had no time to follow up on them.
To close up the loose ends, I called the credit card company back. I explained that someone had counterfeited my card and there was video of the transactions. They said, basically, "so what?" They explained they have millions of reports of credit card fraud monthly and there is no time to investigate. They take the losses and add it into the percentage they charge companies to accept credit cards - 2-3%.
What did I learn from this?
Credit card fraud is a no-risk crime.

With Generous Support From...