Yesterday, it was revealed that retailing giant Target suffered a major security breach. As KrebsOnSecurity first reported, it involves "millions of customer credit and debit card records... The sources said the breach appears to have begun on or around Black Friday 2013 — by far the busiest shopping day the year." And now Target says it looks like 40 million customers' information may have been compromised between November 27 and December 15 of this year.
According to the Wall Street Journal, "The theft was national in scope and happened in stores, not online, and may have involved tampering with the machines customers use to swipe their cards when making purchases...The data affected in the breach included customer names, credit or debit card numbers, expiration dates and CVV security codes, according to a notice posted for customers on the Target website."
A Target spokesperson said, "This was obviously a very sophisticated crime." The Times reports, "In such cases, security experts say a company insider could have inserted malware into a company machine, or persuaded an unsuspecting employee to click on a malicious link that downloaded software that gives cybercriminals a foothold into a company’s systems."
Target issued a statement today, with chairman Gregg Steinhafel saying, "Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause. We take this matter very seriously and are working with law enforcement to bring those responsible to justice."
The company added, "Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts. Among other actions, Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident. More information is available at Target’s corporate website. Guests who suspect unauthorized activity should contact Target at: 866-852-8680."
The U.S. Secret Service is investigating the breach.