Payment card data was stolen from an unknown number of Target Corp customers starting on the busy Black Friday weekend in a major breach at the U.S. retailer, according to a person familiar with the matter.
Investigators believe the data was obtained via software installed on machines that customers use to swipe magnetic strips on their cards when paying for merchandise at Target stores, according to the person who was not authorized to discuss the matter and declined to provide further details.
Krebs on Security, a closely watched security industry blog that broke the news, said the breach involved nearly all of Target’s 1,797 stores in the United States, citing sources at two credit card issuers. The report said that “track data” from at least 1 million payment cards was thought to have been stolen before Target uncovered the operation, but that the number could be significantly higher.
“When all is said and done, this one will put its mark up there with some of the largest retail breaches to date,” the report cited an unnamed source as saying.
The biggest credit card breach at a U.S. retailer reported to date was an attack against TJX Cos, the parent of TJ Maxx and Marshalls. The company disclosed in March 2007 that data from 45.7 million payment cards had been stolen by hackers over 18 months. Banks later asserted in court documents the hackers could have obtained more than 94 million account numbers.
The data breach at Target could have extended from just after Thanksgiving to December 15, Krebs said, citing evidence from investigators.
It is not yet clear how the attackers were able to compromise point-of-sales terminals at so many Target stores across the country. Doing so would have required careful planning by sophisticated cyber criminals.
An American Express spokeswoman said the company is aware of the incident and is putting fraud controls in place.
Representatives for Visa and MasterCard declined to comment.
There are no indications that the theft affected shoppers on Target’s website, Krebs reported.
(Reporting by Jim Finkle in Boston and Jennifer Saba in New York; additional reporting by Aman Shah in Bangalore;
Source: Reuters (Editing by David Gregori, Andre Grenon and Phil Berlowitz)