Stolen Target customer data 'flooding' black markets, report says

Stolen Target customer data 'flooding' black markets, report says

Summary: Here's the holiday story that only seems to be going from bad to worse.


Target confirmed earlier this week that the credit card data of more than 40 million customers had been stolen, prompting many to question what would anyone be able to do with that vast, perhaps overwhelming, trove of information.

Well here's an answer that is both upsetting but not terribly surprising either.

Brian Krebs, the former Washington Post reporter who first broke the Target security breach on his blog earlier this week, filed an update to Krebs on Security on Friday.

Basically, according to Krebs, all of that information has been circulating underground black markets around the world for weeks now.

There are literally hundreds of these shady stores selling stolen credit and debit cards from virtually every bank and country. But this store has earned a special reputation for selling quality “dumps,” data stolen from the magnetic stripe on the backs of credit and debit cards. Armed with that information, thieves can effectively clone the cards and use them in stores. If the dumps are from debit cards and the thieves also have access to the PINs for those cards, they can use the cloned cards at ATMs to pull cash out of the victim’s bank account.

The big box retailer affirmed Krebs's original scoop that the breach lasted from the day before Thanksgiving (November 27) through December 15. During that time, the still-unidentified hackers illegally obtained customer names, credit and debit card numbers, card expiration dates as well as CVVs (the three-digit security code), according to a letter to customers.

Target is working with the United States Secret Service, among other law enforcement agencies, to track down the culprits.

In the meantime, there are a number of security software providers and experts as well as financial institutions doling out advice to those possibly affected as well as anyone else shopping -- in stores or online -- this holiday season.

Eric Chiu, CEO of virtualization security and compliance solutions provider HyTrust, outlined some initial recommendations in a blog post on Friday that are applicable to and should be observed by everyone, such as vigorously monitoring bank and credit card statements and even signing up for fraud prevention services.

For those involved in this week's high-profile breach, Chiu suggested reaching out to Target directly as they might provide fraud prevention and detection services for free, as many other corporate entities have done for their customers in the past.

Based on the comments of Paul Lipman, CEO of cloud security network Total Defense, it would be wise for Target to heed that latter note as well as take more proactive steps in assisting customers right now.

In an email, Lipman argued that while the impact on holiday sales will be minimal, he warned that "it will be the long term fallout from the ongoing costs related to the breach, and the loss of customer trust, that will have a larger impact on the company."

Topics: Security, E-Commerce, Legal, Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Well, our feds are too busy

    listening to phone conversation and reading internet data of law abiding citizens to be bothered by such trivia.

    If pressured to follow through, I am sure their reply would be, "congress has stolen $16 trillion from citizens, does some credit card theft even count as a crime ?".

    And I am going down...3..2..1..
    • Actually, I believe the NSA is the one doing the listening... (^_^)

      The Feds are still free to do what they've always done. Never overundermisestimate the power of Bureaucratic compartmentalisation.
      D. W. Bierbaum
  • Anybody know a good Lawer

    I see class action suit and i would sign up.

    oops already happened.
  • Which Version of Windows

    was running on the card readers and/or registers?
    • It's Linux based, as you know

      so it was pretty much child's play to hack it.
    • M$ is also responsible

      for having a insecure OS on the cash registries.
      LlNUX Geek
      • Cash register software doesn't matter, it's software only the readers only

        Before you post, at least be accurate, which is too much to expect from a LINUX creep, er Geek. MS bashers need to be blocked for worthless posts.
        • @Rollguy: Iagree 100%!!

          But besides just the MS bashers, let's also include the Apple bashers, the Linuxbashers, the Google bashers, the Android bashers, etc..

          Of course the only problem after all that is there won't be too many posts left, but at least they have a better chance of being relevant to the article / blog that was written..

          I always feel bad for those that this happens to, and hope they catch the Hackers that did this. They could help out the tech community and the people around them if they were legit.

          Happy New Years everyone!!!!
      • Security

        ALL OS's are hackable, companies don't want to spend money updating software or actively monitoring systems. Just like the banks, the money they pay out to hacking is less than the money spent watching what was going on and fixing the systems.
  • And of course you can buy those card numbers using

    Bitcoin, Litecoin, WebMoney and PerfectMoney.
  • Alternatives

    Retailers like Target are just one of the many, including banks and data collection companies whose security would consist of something as banal as using password as the password.
    That might be an a slight exaggeration, but when push comes to shove security costs are many times a companies petty cash resource.
    With the sophistication of hackers/criminal you would think the acceptable alternative would be to spend more money on security and customer relations and less on token discounting.
  • Your Aunty Kaylee got her car from servicing winos on the Bowery.

    If she did that full time, she would be driving an Escalade or a Mercedes. If she satisfies enough of the bums, "word of mouth" will propel her into the future. Now go spam somewhere else, you cretin!
  • Target customers: Cancel your card ASAP

    Yeah, all the pious advice by Target to watch your monthly statements like a hawk for the next few years is 100% BS. Unfortunately, the only safe thing to do is cancel your damn card ASAP and get a new number.

    It's a real pain to do this, but I've had to do it twice now in the last 4 years. Actually, my credit card company automatically did it for/to me at their first detection of fraudulent use of my card.
    Asok Smith
    • Not so much of a pain.

      Called the card company. Asked that the card be canceled and reissued. The rep said "no problem" and the matter was done in several minutes. We also verified that the few pending charges that she could see but we couldn't yet see online were valid. She said they've been getting a number of these calls. Since this was the only one of our several cards that was used at Target, the loss of use of this card for a few days is no problem.
    • Not a Real Pain - But Great Advice Nevertheless

      Cancel your card and get a new number. Why aren't ANY of the advice-givers being quoted in all of the news reports not saying to do this?

      Watch your statements like a hawk blah blah blah...

      Sign up for credit monitoring blah blah blah blah...

      Contact credit monitoring agencies and put a credit freeze or credit alert on your record blah blah blah...

      I received a new credit card within 4 minutes of asking for one. It took 15 minutes out of my lunch to drive to the nearest branch of my bank, show my ID, explain what happened, get my card canceled and a new one issued.

      Done! Sleeping easier...
    • Pain? What bank you have?

      I just went to my bank and requested a new account. Provided some ID, sign some paperwork and I was done, lest then 30 minutes. They gave me a temporary new card, while I wait for my regular permanent card 5 to 10 business days.

      As for monitoring my bank statement, it will great if Target provides this. While this is good, this kind of service will be after the fact, after the crime is done. While some banks provide a 100% reimbursement of stolen money, some make you responsible for the first $50.
  • Why are they storing this information?

    Isn't the transaction complete and vendor provided credit immediately on confirmation from the bank that the funds are available and have been debited.
  • What Target is offering

    According to the article urled in your article, Target is offering fraud checks which your article implies you might convince them to give you.
  • Why people steal?

    Becasue they thought the risks are smaller than the benefit.

    Will dead penalty helps?

    But it may raise a concern about the human right of the thefts?
    • For some people ..

      For some people, it is acceptable to get 5 cents by damage 500 dollars of otehrs