On Thursday, Target announced that hackers gained access to as many as 40 million credit and debit cards used by its customers during the height of the holiday shopping season in one of the biggest data breaches in history.
The hackers worked at unprecedented speed, carrying out their operation from the day before Thanksgiving to this past Sunday, 19 days that are the heart of the crucial Christmas holiday sales season.
The third-largest U.S. retailer claimed that it was working with federal law enforcement and outside experts to prevent similar attacks in the future; however, it is still unclear how exactly their systems were compromised.
Target said it notified law enforcement authorities and financial institutions after discovering the breach. The company said it also has hired an outside forensics firm to investigate the incident and strengthen its systems.
The Secret Service, which investigates financial fraud, is looking into the intrusion. Major breaches in the past have drawn scrutiny and in some cases fines from federal and state officials when they determined that companies did not adequately protect private customer information.
Reportedly Target’s systems are compliant with the Payment Card Industry (PCI) security standards. There’s no evidence so far of sophisticated hackers. The kind of theft involved allowed the perpetrators to create phony credit cards, not necessarily use PIN numbers for debit purchases. So far, the whole thing seems to be a strictly offline affair, with the e-commerce side of Target’s operation looking much more secure than its in-store experience.
The timing of the breach could not have been worse for Target, coming just before three of the four busiest days of what has been a bruising holiday season for retailers, with the highest level of discounting in years. Target itself last month lowered its profit forecast for the year after disappointing sales in the third quarter, says Reuters.
“Whatever money Target thought they were going to get during the holiday season just got flushed down the data-breach toilet,” said John Kindervag, an analyst and data security expert at Forrester, a research firm. He estimated that Target will have to spend at least $100 million to cover legal costs and to fix whatever went wrong.
Some of the largest retailer breaches to date may help explain what happened in this case. In 2007, retailer TJX announced that its systems had been breached by hackers.
The company later learned that thieves had used the store’s wireless networks to access systems at its Massachusetts headquarters that were used to store data related to payment card, check and return transactions at stores across the country, and that crooks had made off with data from more than 45 million customer credit and debit cards.
Massachusetts Attorney General Martha Coakley, who headed a multi-state probe into a 2007 data breach at TJX Cos, said in a statement that her office was talking to Target about the breach and how the company is addressing it, and plans to work with other Attorneys General to determine whether the company had proper safeguards in place.