This week, Target confirmed that 40 million debit and credit numbers were stolen in one of the largest data breaches of its type in history. The breach, which occurred between Black Friday 2013 and December 15 2013, swiped customer names, credit or debit card numbers, the card’s expiration date and CVV codes. While Target and law enforcement – including the Secret Service – is investigating this massive crime, it’s likely that the criminals were able to steal this information by installing malware into a company machine, or persuaded an unsuspecting employee to click on a malicious link that downloaded malware that gave the criminals control of Target’s point-of-sale systems.
While this sounds bad, Target customers who shopped at the store the past few weeks (especially more than once, such as yours truly) shouldn’t panic. In an email to media today, Target explained that “there is no indication that there has been any impact to PIN numbers. What this means is their bank PIN debit card or Target debit card still has this additional layer of protection. It also means that someone cannot visit an ATM with a fraudulent card and withdraw cash.”
Additionally, to clear up some additional confusion, Target explained that “The CVV data that may have been impacted was data in the magnetic strip and NOT the three or four-digit code visible on the card that guests use that would allow someone to make an online purchase.”
Target is also very clear that this data breach should not lead to any identify theft, as there is “no indication that the data that was inappropriately accessed included a guests’ date of birth or social security number.”
Most financial institutions are already on the lookout for fraudulent activity that may occur as a result of this threat, though there has been no evidence that any has occurred so far. Target has already alerted all of the networks (Visa, MasterCard, Discover and American Express) and provided the affected card numbers of guests who may have been impacted. The networks, in turn, are providing the affected card numbers to the financial institutions of Target customers via a “batch” or “CAMS alert.”
In a blog post to its customers today, USAA reiterated that there is no need to reset PIN numbers or cancel cards. USAA’s Chief Security Officer, Gary McAlum, told me that Target customers really have no need to panic and overreact. As he said “This type of breach happens every day – although obviously not on this big of a scale – and every financial institution is looking at this very closely, analyzing the implications for their customers based on the information provided by Target. Customers do not need to call their banks as they monitor user accounts 24/7.” He explains that if banks like USAA do start to see fraudulent activity, they’ll automatically reissue cards.
Additionally, McAlum said that as these types of data breaches happen on a smaller scale every day in the U.S. – primarily because the U.S. is one of the last countries to rely on credit and debit cards with magnetic strips instead of embedded chips – customers really do need to stay vigilant. He advised that whether or not a breach like Target had happened, “customers should be checking credit card statements regularly for things that aren’t quite right. Many financial institutions offer tools like fraud alerts so you can be alerted when something abnormal happens to your account.”
Target CEO Gregg Steinhafel also underscored that customers should not panic. In a statement today, he said “We want our guests to understand that just because they shopped at Target during the impacted time frame, it doesn’t mean they are victims of fraud. In fact, in other similar situations, there are typically low levels of actual fraud.” He added that “We take this crime seriously. It was a crime against Target, our team members, and most importantly, our guests.”
In fact, to help restore confidence in the company and encourage guests to come back to Target to finish their holiday shopping, Target will be offering a 10% discount to guests who shop in U.S. stores on Dec. 21 and 22. As Target claims the “the issue has been identified and eliminated”, this weekend might be a great time to get your shopping done – and get a good deal on those last minute items, too.