The security breach of credit and debit card data at Target Corp. is evidence of the increasing threats retailers face and a reminder that the U.S. lags behind much of the world in securing personal financial information.
Target, the second-largest U.S. discount chain, said Thursday that data for about 40 million debit and credit cards may have been wrongfully accessed from Nov. 27 to Dec. 15. Law enforcement, including the U.S. Secret Service, and the state attorneys general of New York and Massachusetts are investigating.
The breach occurred when a computer virus infected Target’s point-of-sale terminals, said a person who asked not to be identified because the investigation is private. Swiping cards had been considered safer than shopping online because the data is harder to steal, according to Dan Kaminsky, co-founder and chief scientist at White Ops, a cybersecurity firm in New York.
“Attacks of this scale are common, but attacks that get this class of data are unusual,” Kaminsky said. “It’s a war out there.”
The retailer was sued Friday in federal court in San Francisco by a Christmas shopper claiming she may have been exposed to identity theft.
Target said it does not comment on litigation.
While swiping devices have been hacked in the past, the incidents typically occurred at a single machine or store, not chain-wide, which is why this breach is troubling, Kaminsky said. Target said account numbers, expiration dates, cardholder names and credit verification value, or CVV, had been compromised. That kind of data could be used to make counterfeit credit cards, Kaminsky said.