Target data stolen in hack showing up on black market

After 40 million accounts were compromised in a nationwide hack of the retail giant, fraud experts are seeing a "ten- to twentyfold increase" in high-value stolen cards on underground card-selling markets.

Target

As if the Target hack ordeal couldn't get any worse -- data from the retail chain's massive security breach stolen between November 27 and December 15 is popping up in huge quantities on the black market, The New York Times reported Friday.

After Target conceded Thursday that its in-store point-of-sale systems were indeed hacked, compromising as many as 40 million debit and credit card accounts, fraud industry experts are seeing the information flood online card-selling markets to the tune of a "ten- to twentyfold increase" in high-value cards.

The hack, which affected only shoppers who made purchases physically at Target stores and not online customers, was a sophisticated operation. It allowed the hackers to glean customer names, credit and debit card numbers, expiration dates, and three-digit security codes from customers, data that can then be burned onto counterfeit cards and sold on the black market typically for $20 to $45 apiece.

However, Brian Krebs, the security blogger who broke the story of the breach, reported Friday that batches of up to 1 million cards were selling for anywhere from $20 to as high as $100 per card.

Target CEO Gregg Steinhafel released a statement assuring customers that no one will be held responsible for fraudulent charges and that only a few instances of fraud had since been reported. That echoes a sentiment by Visa yesterday in a statement to CNET in which a company spokesperson said, "Because of advanced fraud-monitoring capabilities, the incidence of fraud involving compromised accounts is actually rare, and Visa fraud rates remain near historic lows."

Steinhafel also said that no PINs had been compromised, a grave concern for those potentially affected as compromised PINs would allow one in possession of a counterfeit card to withdraw cash from an ATM. He added that Target had no reason to believe that customers' Social Security numbers or dates of birth were scooped up in the hack.

Target expects to have notified all 40 million of those affected via e-mail by the end of the weekend. In an attempt to save itself for what will inevitably be a disastrous hit to its holiday sales, Steinhafel also announced a promotion:

We're in this together, and in that spirit, we are extending a 10% discount -- the same amount our team members receive -- to guests who shop in US stores on Dec. 21 and 22. Again, we recognize this issue has been confusing and disruptive during an already busy holiday season. We want to emphasize that the issue has been addressed and let guests know they can shop with confidence at their local Target stores.

Update at 8:45 a.m. PT on December 21: Target is also claiming that only data from a card's magnetic strip has been breached, meaning no three- or four-digit security codes that enable one to make online purchases were compromised in the hack.

Tags:
Security
About the author

Nick Statt is a staff writer for CNET. He previously wrote for ReadWrite and was a news associate at the social magazine app Flipboard. He spends a questionable amount of his free time contemplating his relationship with video games while continuously exploring the convergence of tech, science and pop culture.

 

Join the discussion

Conversation powered by Livefyre

Don't Miss
Hot Products
Trending on CNET

HOT ON CNET

Get ready for iOS 8

Here's what you need to know before downloading iOS 8 on your iPhone or iPad.