By BRIAN DOWLING, firstname.lastname@example.org
The Hartford Courant
10:50 PM EST, December 19, 2013
Authorities on Thursday advised Target shoppers to monitor their credit and debit card accounts for suspicious activity after the country's third-largest retailer reported that criminals stole card information from tens of millions of customers during the busiest weeks of this year's holiday shopping season.
Target said the sensitive financial data was accessed for nearly three weeks, from Nov. 27 until Dec. 15, affecting as many as 40 million debit and credit card accounts. Criminals had access to information such as the customer's name, the card number, the card's expiration date and security codes.
State Consumer Protection Commissioner William M. Rubenstein advised consumers who shopped at Target during that period: "If you can check your debit card transactions and credit card transactions online, go ahead and do so today. If you can change your pin numbers for your cards, do so now. With so much shopping and spending going on this time of year, consumers should be extra vigilant."
The state's attorney general, George Jepsen, pressed the company for more information. The incident, he said, "raises questions about the effectiveness of Target's measures to protect the confidentiality and security of private information it receives from its customers."
State officials said that if Target shoppers see suspicious activity on their credit or debit accounts, they should contact their bank. If they believe they are victims and have had their credit card used without consent, Rubenstein and Jepsen advised that they contact credit reporting agencies (Equifax, Experian and Transunion), submit a complaint to the Federal Trade Commission and file a police report.
The breach is the second-largest ever at a retailer, behind a 2007 incident involving the parent company of T.J. Maxx stores.
In a statement, Target said that it had hired a third-party forensics firm to investigate the breach, and was also working with financial institutions and law enforcement. The retailer, with 1,797 stores in the United States and 20 in Connecticut, did not explain how its systems were compromised for such a long time to expose so many of its customers.
Brian Kelly, head of information security at Quinnipiac University in Hamden, said that the attackers could have had access to a central server or a data center. "You generally can't get 40 million cards by attacking a single point-of-sale terminal," he said.
It was unclear why the company waited until Thursday to notify customers of the problem that it had identified Sunday. Connecticut law requires stores to notify shoppers of such a breach, but the notice can be delayed if it would impede a criminal investigation.
U.S. Sen. Richard Blumenthal said in a statement that he was concerned that Target didn't act as quickly as it should have to protect customers. "Notification should be immediate and comprehensive," he said.
"Target also should provide financial data security services, including free access to credit reporting and monitoring services — fully funded by the company — as well as sufficient insurance to protect affected consumers from any possible harm from identity theft," Blumenthal said.
Jepsen, in a letter to Target, called on the company to release the basics about the incident: How many Connecticut stores were involved? How many Connecticut residents are affected? When will Connecticut residents be notified? What steps has the company taken to protect residents affected? Will the company provide free credit monitoring to impacted customers?
Avivah Litan, a financial fraud analyst with Gartner Research, predicts that Target will pay for the breach in higher merchant fees for card transactions, in fines and in payments to card issuers for any fraud that results from the breach.
"Target no doubt has spent a small fortune on payment card security," said Litan, "yet the theft still occurred."
She said the breach could cost Target less than $25 million, though "the fees it pays the banks may be twice that amount."
A TD Bank customer service line directed callers to a special message concerning the Target announcement: "Please be aware that TD Bank is working closely with Target on this issue ... we have fraud-detection processes in place to help protect our customers. With TD Bank and Visa's zero-liability protection, you are not liable for any unauthorized transactions made fraudulently with your Visa debit or credit card," the message said.
Copyright © 2014, The Hartford Courant