Target Corp. Credit Card Breach

Risk Advisory/Internal Audit

By Eric Fair

What Happened?

With holiday shopping behind us, it is time to focus on how secure our credit card data really is. By now, you have probably read or at least heard of the Target Corp. consumer data security breach.  After conflicting media reports, it appears that U.S. retailer Target Corp. was victim of a cyber-attack that compromised up to 40 million payment cards, reportedly during a 19-day span through December 15, 2013. This was reported as the second-largest retail breach in U.S. history.

What Was Obtained?

Through various media reports, Target spokespeople acknowledged that the following personal information was compromised as part of this security breach:

  • Customer Names
  • Credit Card Numbers
  • Expiration Dates
  • Debit Card Numbers
  • CVVs and Security Codes
  • Encrypted Debit Card PIN Data

What Is the Impact?

Consumer Impact

The exposed consumer financial data can potentially be used by hackers or could be sold to underground markets, where fraudsters could make card replicas, unauthorized ATM withdrawals or even make purchases online or in-person.  This could obviously negatively impact one’s personal financial situation and create a huge hassle in the process. Any unsettled balances from fraudulent charges could also affect one’s personal credit rating.

Corporate Impact

If investigations show that Target was not following Payment Card Industry Data Security Standards (PCI DSS), major credit card companies could levy very steep fines and penalties against Target.  In addition, Target could also be subject to an increase in credit card transaction fees, be responsible to pay back fraudulent charges, and might even have to pay for credit card monitoring for customers for longer periods of time.

Target is also now facing many class action law suits for failing to protect consumer data. Specifically, according to federal court records and later confirmed by Target, at least 40 separate lawsuits have been filed across the country in relation to the consumer data security breach. The suits focus on Target’s violation of various state laws and negligence in the way it managed customer data and reported the breach.

Target’s Response

Target has offered affected customers free credit service monitoring, a telephone hotline to provide additional assistance, and a two-day store-wide 10% discount. Additionally, Target took action to notify banks and law enforcement, and also hired a “leading third-party forensics firm” to thoroughly investigate.

In a statement, Target reassured that ID numbers are ‘safe and secure’ through the Triple DES encryption used to protect sensitive data. Through a debit purchase at a Target store, card information is “encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.”

Based on that assertion, the most important thing to know is that your debit card PIN number has not been compromised unless the hackers have found a way to reverse-engineer the Triple DES encryption standards.

For the statement released by Target, see this link, which also provides additional details surrounding the breach.

Were You Affected?

To determine if you were one of the Target customers affected by this consumer data security breach, it is important to do the following:

  • If you made a credit or debit purchase at a Target location between the dates of November 27 through December 15, call your credit card company, bank, and/or Target to determine appropriate next steps.
  • Monitor your online and/or paper statement periodically for any unauthorized charges.
  • Request a replacement credit/debit card and change your PIN.

Update: On Friday, Target announced that the number of people whose personal information was stolen in the breach has grown to 70 to 110 million people. For more information, please read "For Target, the Breach Numbers Grow."

© 2014 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.