MINNEAPOLIS — Target Corp. faced a consumer backlash at the height of the holiday shopping season following the revelation that credit and debit card data was stolen from as many as 40 million of its customers.
The disclosure of the data security breach, which occurred from November 27 until December 15, led customers to tie up the discounter’s phone lines, jam its credit card website, and post irate messages on its Facebook page.
“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence,” chairman, president and chief executive officer Gregg Steinhafel said in a statement issued six days before Christmas. “We regret any inconvenience this may cause. We take this matter very seriously and are working with law enforcement to bring those responsible to justice.”
The chain brought in the Secret Service to investigate the break-in and reportedly hired a forensics unit at Verizon Communications Inc.
It was believed that Target’s credit-card swiping machines were hacked with malicious software, or malware. Stolen information included shoppers’ identities, credit and debit card numbers, expiration dates and three-digit security codes, according to a notice on the Target website. Online sales were not compromised.
Data breaches are the most frequent source of card fraud and are increasing, according to a study by Javelin Strategy & Research. The study found that close to 16 million consumers learned that their cards were compromised in 2012, and the number of victims more than quadrupled from 2010 to 2012, resulting in fraud of $4.8 billion.
Major data breaches have been estimated to cost about $17 per account. The amount includes legal costs, notification of customers, card replacements, sorting fraudulent from authorized charges and covering bad charges. In the case of Target, that would bring the total cost to around $680 million.
Some of the discounter’s customers complained last month of sham charges, but it wasn’t certain whether they were connected to the breach.
Card companies issued statements telling consumers that they were not responsible for fraudulent purchases. Banks are accountable for losses tied to unauthorized transactions, although the retailer may have to reimburse them.
Doubts about the security of cards’ magnetic stripes were expected to be revisited in the aftermath of the break-in at Target. Cards in other countries have an embedded computer chip and create a unique number for every sale, making them less vulnerable to theft.
“We have all known that the magnetic stripe is a 1970s technology,” Mark Weiner, managing partner at Reliant Security, a New York-based security firm, told the Wall Street Journal.
The Target breach “will absolutely push the U.S.” toward newer card technologies, Weiner said.
Target gets about 20% of its sales from its own branded credit and debit cards, which have been growth drivers.
In a letter to customers on its website, the retailer said, “You should remain vigilant for incidents of fraud and identity theft by regularly reviewing your account statements.”
The theft was significantly smaller than a 2007 breach at T.J. Maxx, when 90 million customers had data pilfered, and a hack of the card processor Heartland Payment Systems five years ago — the largest on record — when 130 million card numbers were stolen.
Comments are closed.