Target confirmed early on Thursday morning (via ZDNet) a massive data breach affecting some 40 million credit and debit card accounts. Fortunately for those who shop at Target.com, it doesn't involve them, but instead data stored on the magnetic stripe of cards used at the stores.
Normally when a data breach occurs, most instantly think of a website breach. Target said that:
Target today confirmed it is aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its U.S. stores. Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue. [...]
Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013. Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts. Among other actions, Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident.
"Resolved" doesn't mean the criminals have been caught and the data magically erased from the hands of any miscreants that may have purchased the info. Instead it means that Target has closed whatever breach existed.
However, while Target says the breach is closed, according to a person involved in the investigation, who spoke only on condition of anonymity to the New York Times, the thefts may be continuing. It is unclear which statement is correct in this matter.
Clearly, Target is saying that if you did not shop at the store between those dates, or if you shopped online ("mostly online-only shoppers" such as us will breathe a sigh of relief), you are save. To be clear, these hackers have everything, including the CVV security code from credit and debit cards.
The type of data stolen is known as “track data.” With it, criminals can create counterfeit cards by encoding the data onto a card with a magnetic stripe. It is unclear if PINs for debit cards were stolen, as well, but if they were, criminals could theoretically use them to withdraw cash from ATMs.
It is still unclear how the breach occurred. The theory, thus far, is that the hackers compromised the software controlling point-of-sale systems somehow, perhaps by using a targeted phishing attack or inserting malware with the help of an insider.
One has to wonder if pre-Christmas shopping at Target will take a serious nosedive, now that the news has been made public.
Aside from informing the public and making suggestions on credit monitoring and the like, Target has not offered any of those affected anything to alleviate the upcoming pain. Frequently, in the past, companies have offered free credit monitoring to those hacked through a company's systems.