Target, one of the largest retail operations in North America, with stores in the U.S. and Canada, confirmed reports of a data breach on Thursday. However, while this is bad news, consumers should keep a cool head, remain vigilant, and avoid needless panic.
On Wednesday investigative journalist, Brian Krebs, reported that sources had informed him of a major data breach at Target that occurred during the Thanksgiving holiday. His story gained wide media attention, but that was mixed with large amounts of speculation, many reports latching on to past breaches at TJX and Heartland Payment Systems. Later in the evening the U.S. Secret Service confirmed they were looking into the matter.
Less than 24-hours after Krebs first published his report, Target released a statement that confirmed the data breach, and explained that some 40 million cards may have been impacted by the incident.
According to an internal investigation, Target says that the attackers were active between November 27 and December 15, at which point the breach was noticed internally and reported to authorities and various financial institutions. In a statement to customers, Target said that they mitigated the security problems immediately, and are working to ensure that they don't happen again.
That a retailer of Target's size and reach suffered a breach that impacted credit and debit cards, including card number, expiration date, and CVV (the three-digit security code), certainly falls into the category of bad news. This fact is made worse by the fact that the incident happened at the peak of holiday shopping season. However, there's no need to blindly panic.
In a statement to Salted Hash, Rapid7's Lee Weiner said:
"There’s a lot of speculation circulating around the Target compromise, and at the moment, that’s really all it is – speculation. Target has a lot of customers, and in the absence of hard details being available, it will be tempting for them to panic and start cutting up cards. Don’t do that!"
"It is sensible to be a little cautious if you shopped in a Target store between November 27th and December 15th, and the best way to exercise that caution is to take a look at your bank statements for suspicious behavior, and contact your card issuer to learn if you’re at risk."
First, anyone concerned about this breach needs to know that it only impacts U.S. shoppers who visited a Target store between November 27 and December 15. While Target's statement and letter to customers is lacking on many details, they are certain of the locations hit and the timeframe. So Target.com orders and Target shoppers in Canada are not affected.
Second, all U.S. residents have protections against credit fraud and identity theft. So if you know you were shopping at Target during the aforementioned timeframe, contact your bank, and alert them to the issue. If you use a Target RED card to shop, contact target immediately. Keep an eye on the charge statements and report anything that looks suspicious.
Customers in Iowa, Maryland, North Carolina, and Massachusetts have additional rights regarding a data breach of this nature. If you live in one of these states, examine Target's letter to customers for additional details.
Another thing to be mindful of is Phishing or other email-based attacks related to this data breach. In the aftermath of incidents such as this, criminals will use that as leverage in order to deliver malicious emails, Rapid7's Weiner added.
"You should also be wary of any communications from people claiming to be your bank. Incidents like this provide a great opportunity for other criminals to launch "piggyback" attacks. They can contact you through a call or email claiming to be your card issuer, and then get you to give them your banking information, online security credentials, or visit a malicious website."
"If you receive any communication around the incident, treat it with caution. Rather than sharing information on the phone, or following the directions in any email, call them back using the number on the back of your card, or go directly to the bank’s website through your search engine to verify what you’re being told."
The breach at Target is a serious incident, and should be treated as such. However, consumers have rights and protections, so keeping a cool head in situations like this is a better bet than raw panic.