Target is saying this morning that about 40 million credit and debit cards were compromised in a giant data theft that occurred at nearly all of Target’s 1,800 locations during the Black Friday weekend. So far it seems like only people who shopped at a brick and mortar store—the data breach doesn’t seem to have affected online shoppers.
The crime may have involved hacking into the actual machines stores use to swipe cards. “If we look at previous breaches, it’s likely the bad guys got in via some kind of internal access to the store,” says online security expert Brian Krebs, who broke the story. “It could even be physical access to the store.” Krebs says a big TJ Maxx data breach back in 2007, where 45 million cards were compromised, started with two guys sitting in their car in a store’s parking lot with an antennae pointed at the store’s wireless network.
The data theft hit customers on Black Friday and seems to have lasted for a couple of weeks—until December 15th.
If you were a Target shopper during that time, Krebs says you probably shouldn’t worry. He says consumers are not liable for fraud on their card, though banks might reissue some cards proactively.
He says the real monetary hit will be to Target. “They’re going to face fines and they’re going to face lawsuits from card issuers like Visa and Mastercard,” says Krebs. “And Target’s going to pay a lot of money to banks because of this.”
Krebs said Target has actually been very proactive with security, but it’s really hard to stay ahead of these criminals.