Stolen Target customer data 'flooding' black markets, report says

Here's the holiday story that only seems to be going from bad to worse.
Written by Rachel King, Contributor

Target confirmed earlier this week that the credit card data of more than 40 million customers had been stolen, prompting many to question what would anyone be able to do with that vast, perhaps overwhelming, trove of information.

Well here's an answer that is both upsetting but not terribly surprising either.

Brian Krebs, the former Washington Post reporter who first broke the Target security breach on his blog earlier this week, filed an update to Krebs on Security on Friday.

Basically, according to Krebs, all of that information has been circulating underground black markets around the world for weeks now.

There are literally hundreds of these shady stores selling stolen credit and debit cards from virtually every bank and country. But this store has earned a special reputation for selling quality “dumps,” data stolen from the magnetic stripe on the backs of credit and debit cards. Armed with that information, thieves can effectively clone the cards and use them in stores. If the dumps are from debit cards and the thieves also have access to the PINs for those cards, they can use the cloned cards at ATMs to pull cash out of the victim’s bank account.

The big box retailer affirmed Krebs's original scoop that the breach lasted from the day before Thanksgiving (November 27) through December 15. During that time, the still-unidentified hackers illegally obtained customer names, credit and debit card numbers, card expiration dates as well as CVVs (the three-digit security code), according to a letter to customers.

Target is working with the United States Secret Service, among other law enforcement agencies, to track down the culprits.

In the meantime, there are a number of security software providers and experts as well as financial institutions doling out advice to those possibly affected as well as anyone else shopping -- in stores or online -- this holiday season.

Eric Chiu, CEO of virtualization security and compliance solutions provider HyTrust, outlined some initial recommendations in a blog post on Friday that are applicable to and should be observed by everyone, such as vigorously monitoring bank and credit card statements and even signing up for fraud prevention services.

For those involved in this week's high-profile breach, Chiu suggested reaching out to Target directly as they might provide fraud prevention and detection services for free, as many other corporate entities have done for their customers in the past.

Based on the comments of Paul Lipman, CEO of cloud security network Total Defense, it would be wise for Target to heed that latter note as well as take more proactive steps in assisting customers right now.

In an email, Lipman argued that while the impact on holiday sales will be minimal, he warned that "it will be the long term fallout from the ongoing costs related to the breach, and the loss of customer trust, that will have a larger impact on the company."

Editorial standards