Target Corp. confirms that a network intrusion may have exposed approximately 40 million debit and credit accounts. U.S. point-of-sale transactions conducted between Nov. 27 and Dec. 15 were likely affected, the company says.
The big box retailer operates 1,797 stores in the U.S. and 124 in Canada.
Target says it "has identified and resolved the issue," and is now working closely with law enforcement and banking institutions. Various media outlets have reported that the Secret Service is involved in the investigation.
The company did not say how the network was penetrated.
"Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts," the company says. "Among other actions, Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident."
Reports About Breach
News of a possible breach of card data broke Dec. 18, when security blogger Brian Krebs reported that a breach that started on Black Friday had likely affected an unknown number of Target customers who shopped at the company's main street stores.
But Target now confirms that the breach actually began two days earlier.
Several sources tell Information Security Media Group that MasterCard and Visa have both issued alerts about the alleged attack, and one executive from a leading U.S. card issuer, who asked not to be identified, says MasterCard has so far issued nine fraud alerts believed to be linked to Target.
Another executive from a second leading issuer, which has seen activity suggesting a Target attack, says it's likely that fraud activity is limited to only a handful of issuers at this point.
"Perhaps the fraudsters are selling this info by card type," the executive, who asked not to be identified, says. "I hear from contacts at a processor that activity indicates that they might be going BIN [bank identification number] by BIN. We haven't seen a spike in volume yet, but we are monitoring."
The breach of card data linked to Target is just the latest in a long line of card retailer breaches.
Targeted malware attacks against grocery chain Schnuck Markets Inc., supermarket chain Bashas' Family of Stores, convenience store chain MAPCO Express, and retail tool store chain Harbor Freight Tools were all blamed for card breaches.
Earlier this month, JPMorgan Chase confirmed a breach of its UCard Center website, which exposed some 465,000 prepaid card accounts. And in May, a similar prepaid card breach, which was traced back to two Middle Eastern Banks, was linked to a $45 million global ATM cash-out scheme dating back to late 2012.
Industry experts say these types of attacks are escalating because of poor point-of-sale and network security, which too often relies on outdated software and default passwords for remote network and system access.