Target Credit Card Hack: What You Need to Know

This is an archived article and the information in the article may be outdated. Please look at the time stamp on the story to see when it was last updated.

Credit: Target via CNN

NEW YORK (CNNMoney) — The major hack of discount retailer Target that stole credit and debit card data from 40 million accounts was still reverberating several days later.

Target acknowledged the hack on Thursday — three weeks after customer data was first scooped up on Black Friday.

On Sunday, Target spokeswoman Molly Snyder said the company had notified millions of affected customers for whom it had email addresses.

Major banks and card issuers said they were monitoring customer accounts. JPMorgan Chase said it would limit the amount customers could withdraw from ATMs and spend in stores.

Two U.S. senators jumped in with demands for investigations.

Chuck Schumer called on the Consumer Financial Protection Bureau to report on whether retailers should be required to encrypt customer card data. Richard Blumenthal called for a Federal Trade Commission probe, saying “it appears that Target may have failed to employ reasonable and appropriate security measures to protect personal information.”

Meanwhile, plaintiffs in California sought to bring a class action and said Target “failed to implement and maintain reasonable security procedures and practices.” Local media reported that another lawsuit was filed in a Rhode Island federal court.

What was stolen? The hack affected customers who shopped at U.S. Target stores between November 27 and December 15, Target said.

Customer names, credit or debit card numbers, expiration dates and CVVs were involved in the information theft, Target said. The CVV — the card verification value, also known as the security code — is a three or four-digit number typically requested by retailers when making purchases online or over the phone.

Hackers could use this data to make card replicas. Robert Ahdoot, a lawyer for the California plaintiffs, said he spoke to customers who claimed unauthorized ATM withdrawals had been made from their accounts.

PIN numbers, other customer information like Social Security numbers, and employee records were not compromised, Target said.

What is Target doing? Target said it would offer affected customers a free credit monitoring service and set up a telephone hotline. It also offered a store-wide 10% discount on Saturday and Sunday.

The company said it “began investigating the incident as soon as we learned of it” through a “leading third-party forensics firm.” The company said it also notified banks and law enforcement.

The Secret Service, which safeguards the nation’s financial systems, said it was investigating, and on Friday, New York Attorney General Eric Schneiderman pledged to investigate.

CEO Gregg Steinhafel said “the cause of this issue has been addressed and you can shop with confidence at Target.” He did not say how he knew customer data was no longer being stolen, nor how the hackers managed to swipe the credit card data.

How do you know if you were hacked? The easiest way to spot unauthorized purchases is to regularly check your paper or online statement. Sometimes hackers ping an account for only few cents to verify they have an active account.

Hacked or not, what should you do? If you shopped at Target between November 27 and December 17, you should call your credit card company, bank and Target. Request a replacement card — if one isn’t already on the way — and change your PIN.

Customers typically aren’t liable for unauthorized purchases on their accounts that they report promptly. Major banks and credit card companies — including American Express, Discover, Bank of America, Wells Fargo and PNC — said they were monitoring customer accounts.

J.P. Morgan Chase said it was temporarily limiting ATM withdrawals to $100 a day and purchases to $300 a day for customers whose accounts were at risk.

How did this happen? Many questions remain unanswered. But security experts believe hackers had access to the point-of-sale data, which means they either accessed the terminals where customers swiped credit cards or collected data as it moved from Target to credit card processors.

Click here for extended coverage on this story …


  • SoSueMe

    Here’s another idea… Don’t shop at Target. I don’t shop there because I do not like their stance politically. Eff Target.

  • Gary


  • Bru

    That data should have been encrypted long ago per the PCIDSS Payment card industry data Security Standard, which went into effect in 2004. PCIDSS was formed by the card companies and payment processing industry to create uniform security requirements for the entire industry to provide increased security for customer data.

    The PCI requirements have been refined and updated several times since 2004, but one of the main items has always been the encryption of Payment card track Data when stored or during transmission so it could not be retrieved or intercepted by hackers.

    I’m really curious how Target passed their PCI Audits for the past 8 years without having that data encrypted.

    Visa and MasterCard require Merchants and Service Providers to be validated according to the PCI DSS. In the event of a security breach, any compromised entity which was not PCI DSS compliant at the time of breach is subject to additional card scheme penalties, such as fines.

    I’ll put on my Carnac turban here, and predict that Target is going to be found at fault for not being in compliance with PCIDSS, and will end up paying some huge fines similar to those paid by Heartland, and TJ Max…

Comments are closed.