X

Target data stolen in hack showing up on black market

After 40 million accounts were compromised in a nationwide hack of the retail giant, fraud experts are seeing a "ten- to twentyfold increase" in high-value stolen cards on underground card-selling markets.

Nick Statt Former Staff Reporter / News
Nick Statt was a staff reporter for CNET News covering Microsoft, gaming, and technology you sometimes wear. He previously wrote for ReadWrite, was a news associate at the social-news app Flipboard, and his work has appeared in Popular Science and Newsweek. When not complaining about Bay Area bagel quality, he can be found spending a questionable amount of time contemplating his relationship with video games.
Nick Statt
2 min read
Target

As if the Target hack ordeal couldn't get any worse -- data from the retail chain's massive security breach stolen between November 27 and December 15 is popping up in huge quantities on the black market, The New York Times reported Friday.

After Target conceded Thursday that its in-store point-of-sale systems were indeed hacked, compromising as many as 40 million debit and credit card accounts, fraud industry experts are seeing the information flood online card-selling markets to the tune of a "ten- to twentyfold increase" in high-value cards.

The hack, which affected only shoppers who made purchases physically at Target stores and not online customers, was a sophisticated operation. It allowed the hackers to glean customer names, credit and debit card numbers, expiration dates, and three-digit security codes from customers, data that can then be burned onto counterfeit cards and sold on the black market typically for $20 to $45 apiece.

However, Brian Krebs, the security blogger who broke the story of the breach, reported Friday that batches of up to 1 million cards were selling for anywhere from $20 to as high as $100 per card.

Target CEO Gregg Steinhafel released a statement assuring customers that no one will be held responsible for fraudulent charges and that only a few instances of fraud had since been reported. That echoes a sentiment by Visa yesterday in a statement to CNET in which a company spokesperson said, "Because of advanced fraud-monitoring capabilities, the incidence of fraud involving compromised accounts is actually rare, and Visa fraud rates remain near historic lows."

Steinhafel also said that no PINs had been compromised, a grave concern for those potentially affected as compromised PINs would allow one in possession of a counterfeit card to withdraw cash from an ATM. He added that Target had no reason to believe that customers' Social Security numbers or dates of birth were scooped up in the hack.

Target expects to have notified all 40 million of those affected via e-mail by the end of the weekend. In an attempt to save itself for what will inevitably be a disastrous hit to its holiday sales, Steinhafel also announced a promotion:

We're in this together, and in that spirit, we are extending a 10% discount -- the same amount our team members receive -- to guests who shop in US stores on Dec. 21 and 22. Again, we recognize this issue has been confusing and disruptive during an already busy holiday season. We want to emphasize that the issue has been addressed and let guests know they can shop with confidence at their local Target stores.

Update at 8:45 a.m. PT on December 21: Target is also claiming that only data from a card's magnetic strip has been breached, meaning no three- or four-digit security codes that enable one to make online purchases were compromised in the hack.