Target confirms malware used on point-of-sale terminals

During an interview with CNBC, retailer's CEO defends four-day delay in notifying customers of security breach as necessary for the investigation and preparation for consumer reaction.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read

Hackers infected Target's point-of-sale terminals with malware to steal the payment card information from millions of customers, the retailer's chief executive has confirmed.

The security breach, which yielded the personal information of as many as 110 million customers, was first identified on December 15, four days before the breach was publicly revealed, CEO Gregg Steinhafel told CNBC during an interview. Target revealed Friday that the security breach it suffered between November 27 and December 15 was larger than originally believed, yielding the names, mailing addresses, phone numbers, and e-mail addresses for near three times its original estimate of 40 million customers.

"Sunday [December 15] was really Day 1. That was the day we confirmed we had an issue and so our number one priority was ... making our environment safe and secure," Steinhafel said in the interview. "By six o'clock at night, our environment was safe and secure. We eliminated the malware in the access point, we were very confident that coming into Monday guests could come to Target and shop with confidence and no risk."

Steinhafel defended the four-day delay in its notification process as necessary for investigators and consumer preparation.

"Day 2 was really about initiating the investigation work and the forensic work ... that has been ongoing. Day 3 was about preparation. We wanted to make sure our stores and our call centers could be as prepared as possible, and Day 4 was about notification," he told CNBC in an interview scheduled to air Monday.

Target was not the only US retailer to suffer a security breach during the holiday shopping season. Upscale department store Neiman Marcus confirmed on Friday that its database of customer information was hacked last month around the same time as the attack on Target. Additionally, Reuters reports that at least three other well-known but unidentified retailers experienced smaller breaches that have yet to be publicly revealed.

The practice of payment card skimming at point-of-sale terminals has become more frequent in recent years, often victimizing customers of well-known retailers. Bookseller Barnes & Noble discovered in fall 2012 that hackers had broken into keypads at more than 60 locations around the United States and made off with customers' credit card information. That same month, two Romanian men pled guilty to hacking point-of-sale terminals at hundreds of Subway sandwich stores in the US to steal credit card data from more than 146,000 accounts.