Target confirms breach: 40 million accounts affected

Target confirms breach: 40 million accounts affected

Summary: Customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code) were breached, the retailer said.

TOPICS: Security

Target on Thursday confirmed that its payment card data was compromised in its stores with 40 million accounts affected.

The retailer was confirming a report Wednesday that the breach had occurred. The breach was first reported by Krebs on Security. Customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code) were breached, according to a letter to customers.

According to the company, 40 million credit and debit cards were breached between Nov. 27 and Dec. 15. Target said it alerted law enforcement and financial institutions immediately. The company added that it has "identified and resolved the issue."

Target added that it is working with a third-party forensics firm to investigate the incident.

Security experts raised eyebrows at the fact CVV codes were breached. 

Forrester analyst John Kindervag said:

This is a breach that should've never happened. The fact that three-digit CVV security codes were compromised shows they were being stored. Storing CVV codes has long been banned by the card brands and the PCI SSC. Without knowing the exact breach vector it's hard to say exactly what happened, but clearly by exposing CVV information target has demonstrated a blatant disregard for PCI DSS compliance regulations as well as card security best practices.

It's a brand disaster at the busiest shopping time of the year.


Also see10 innovation takeaways with Target CIO Beth Jacob

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Stolen CVV's too?

    If I recall correctly, the CVV numbers are not supposed to be stored at all, right? If that is the case, then this breach would seem to say that they had some kind of real-time skimming breach going on. Wow, that's ugly.
    • and SSNs were never supposed to be used for ...

      still, every phone company and power company including their offshore call centers know them.

      The penalty for breaking the rules is not sufficient to correct the behavior.

      The basic assumption people should operate with is if you give someone any information they will leak it at some point if they don't just sell it outright.
      • SSN are not supposed to be used..

        As an ID. However you are allowed to capture them. Which in itself is hilarious because as long as SSN is captured it can always be queried.
    • From Krebs Security

      "The type of data stolen — also known as “track data” — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs."
      • update

        "Avivah Litan, a security analyst with Gartner Research, says given all the security, she believes the breach may have been an inside job."

        Read more:
    • Umm

      If you had read the article you would see they mentioned that.
      • No?

        I see no mention here of skimming the card data in real time. Are you referring to a different article?
    • storage of CVV values prohibited under PCI-DSS

      Under PCI-DSS CVV values are prohibited to be stored by the merchant…. if they were caught in flight, however, then that would be one scenario for how they may have been compromised….
      Kia Ora IV
    • Target Credit Card Breach & Protect Your ID in 5 minutes

      Target Credit Card Breach & Protect Your ID in 5 minutes
  • Target confirms breach: 40 million accounts affected

    What OS was it running?
    • Umm

      Windows Server
      • That explains it

        That explains why they went after and hacked the terminals and readers, and not the server. ;)
        • the terminals and readers are believed to be

          windows embedded/CE
          • believed by whom

            got a source? post it.
          • Google up

            "StarDust Dexter POS"
          • Seriously I don't really know. But it may be 50/50 chance of

            embedded windows or linux involved. Which fanboy will get to laugh at the other...
            However, I would think the most likely cause would be a rogue developer could easily include code in the system software to send off the track data to some server, regardless of OS that would be very easy.
          • Fanboy Distraction

            Everyone is hung up about which fanboy laughs at what OS etc....

            That's not the point though.

            When a Microsoft system is compromised, it is often via a flaw in some component which is either hard, inconvenient or simply downright impossible to remove from an installed Windows system on account of the massive tangle of interdependent software that has to be present to boot and run the damn thing -- the GUI for a start -- and bear in mind, how often do you catch a glimpse of a Windows GUI in places you wouldn't expect it?!?

            Whilst it's seldom the core Linux components that get compromised when a *nix system is hacked -- it'll be some shoddy PHP application or third-party crap or some such... The crux is that it's really simple to strip out the unwanted elements of Linux because it will boot the entire kernel without needing half the World's graphical software functionality all loaded as well, sheesh.

            And being able to strip back to a trusted foundation is what matters -- it's just as rare for the Windows kernel to be hacked, the trouble is it's really hard to have the Windows kernel without all the problematic areas of complexity is inextricably dependent on.

            And *that* is the design flaw with MS-Windows.
          • Its likely this from a few days ago.


            Keep reading, you'll find your culprit OS named, and let's just say, its not too surprising.
          • PIN pads compromised at the plant?

            I heard the PIN pads were Equinox (formerly Hypercom)…perhaps the entire fleet were compromised at the point-of-manufacture….
            Kia Ora IV
  • all card readers at all stores compromised ?

    that seems unlikely, unless they were hacked from their connection to the POS or the PC running windows connected to the card reader (IMO, the most likely scenario).

    And m$ will keep minting 100s of millions of dollars from target alone, with no liability whatsoever. Worse, none of these companies will say what software was compromised- WHY ? Its not like the vendor compensated them for their loss ( its in the EULA) or even offers them "free" licenses (read m$ trojans) going forward ?!