The Consolidated National Target Data Breach Class Action Complaint (PDF) was filed on 8/25/14.
The Target cases have been transferred (PDF) to Minnesota, Target’s home state.
How to Limit Your Losses
Credit Card Loss or Fraudulent Charges
Under the FCBA, your liability for unauthorized use of your credit card tops out at $50. However, if you report the loss before your credit card is used, the FCBA says you are not responsible for any charges you didn’t authorize. If your credit card number is stolen, but not the card, you are not liable for unauthorized use.
ATM or Debit Card Loss or Fraudulent Transfers.
If you report an ATM or debit card missing before someone uses it, the EFTA says you are not responsible for any unauthorized transactions. If someone uses your ATM or debit card before you report it lost or stolen, your liability depends on how quickly you report it:
|If you report:||Your maximum loss:|
|Before any unauthorized charges are made.||$0|
|Within 2 business days after you learn about the loss or theft.||$50|
|More than 2 business days after you learn about the loss or theft, but less than 60 calendar days after your statement is sent to you,||$500|
|More than 60 calendar days after your statement is sent to you.||All the money taken from
your ATM/debit card acount, and possibly more; for example, money in accounts linked to your debit account.
If someone makes unauthorized transactions with your debit card number, but your card is not lost, you are not liable for those transactions if you report them within 60 days of your statement being sent to you.
How to Protect Your Cards and Account Information
For Credit and ATM or Debit Cards
- Don’t disclose your account number over the phone unless you initiate the call.
- Guard your account information. Never leave it out in the open or write it on an envelope.
- Keep a record of your account numbers, expiration dates, and the telephone numbers of each card issuer so you can report a loss quickly.
- Draw a line through blank spaces on charge or debit slips above the total so the amount can’t be changed.
- Don’t sign a blank charge or debit slip.
- Tear up copies and save your receipts to check against your monthly statements.
- Cut up old cards — cutting through the account number — before you throw them away.
- Open your monthly statements promptly and compare them to your receipts. Report mistakes or discrepancies as soon as possible.
- Carry only the cards you’ll need.
For ATM or Debit Cards
- Don’t carry your PIN in your wallet, purse, or pocket — or write it on your ATM or debit card. Commit it to memory.
- Never write your PIN on the outside of a deposit slip, an envelope, or other papers that could be lost or looked at.
- Carefully check your ATM or debit card transactions; the funds for this item will be quickly transferred out of your checking or other deposit account.
- Periodically check your account activity, especially if you bank online. Compare the current balance and transactions on your statement to those you’ve recorded. Report any discrepancies to your card issuer immediately.
At least thirty three class action complaints have been filed in eighteen federal districts against Target regarding the data security breach. All of the Target cases will be heard by one panel of federal judges, in an “MDL,” which means “Multi District Litigation.” This MDL has already been given a name: “IN RE: TARGET CORPORATION MDL 2522 CUSTOMER DATA SECURITY BREACH LITIGATION.” Right now, there are competing motions between attorneys who filed Target data breach class actions, asking that the MDL be in the state they want it to be in. It is yet to be determined where the MDL will be, but the most likely candidates are California (where the first case was filed, and the law regarding data breaches is most favorable to Plaintiffs), and Minnesota, where the Defendant resides.
28 U.S.C. § 1407 (a) is the federal statute governing MDLs. This law provides:
- When civil actions involving one or more common questions for fact are pending in different districts, such actions may be transferred to any district for coordinated or consolidated pretrial proceedings.
- The rationale for MDLs is this: The transfer of actions to a single forum under §1407 is appropriate where it will prevent duplication of discovery and eliminate the possibility of overlapping or inconsistent pleading determinations by courts of coordinate jurisdictions. In re Litig. Arising from Termination of Retirement Plan for Employees of Firearm’s Fund Ins. Co., 422 F. Supp. 287,290 (J.P.M.L. 1976); In re LTV Corp. Sec. Litig., 470 F.Supp. 859, 862 (J.P.M.L. 1979).
Target sent out a mass email to consumers throughout the United States offering a free credit monitoring service. Too little, too late?
The Credit Monitoring Email
On Jan 15, 2014 4:10 PM, “Target.com” <TargetNews@target.bfi0.com> wrote:
Dear Target Guest,
As you may have heard or read, Target learned in mid-December that criminals forced their way into our systems and took guest information, including debit and credit card data. Late last week, as part of our ongoing investigation, we learned that additional information, including name, mailing address, phone number or email address, was also taken. I am writing to make you aware that your name, mailing address, phone number or email address may have been taken during the intrusion.
I am truly sorry this incident occurred and sincerely regret any inconvenience it may cause you. Because we value you as a guest and your trust is important to us, Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian’s® ProtectMyID® product which includes identity theft insurance where available. To receive your unique activation code for this service, please go to creditmonitoring.target.com and register before April 23, 2014. Activation codes must be redeemed by April 30, 2014.
In addition, to guard against possible scams, always be cautious about sharing personal information, such as Social Security numbers, passwords, user IDs and financial account information. Here are some tips that will help protect you:
- Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number.
- Delete texts immediately from numbers or names you don’t recognize.
- Be wary of emails that ask for money or send you to suspicious websites. Don’t click links within emails you don’t recognize.
Target’s email communication regarding this incident will never ask you to provide personal or sensitive information. Thank you for your patience and loyalty to Target. You can find additional information and FAQs about this incident at our Target.com/databreach website. If you have further questions, you may call us at 866-852-8680.
Chairman, President and CEO
Target said it now believes hackers stole 70 million customers’ names, mailing addresses, phone numbers or email addresses during a three-week holiday season cyberattack, a drastic increase from the company’s previous estimate of 40 million affected consumers.
A Class Action complaint was filed on Tuesday December 31, 2013, on behalf of Massachusetts and Ohio residents by the Leonard Law Office, LLP and co-counsel. The complaint alleges:
“Defendant Target Corporation is organized under the laws of Minnesota, with a principal place of business at 1000 Nicollet Mall, Minneapolis, Minnesota 55403. Target has annual revenue of $72 billion, with 1,797 stores throughout the United States. Target is publicly traded under the symbol TGT.
A nationwide breach in Target’s point-of-sale retail credit/debit card processing network and computer system “cardholder data environment” compromised personal and financial data (the “Personal Information”) connected to about 40 million Target customers’ credit and debit card accounts between November 27 and December 15, 2013 – the height of the holiday shopping season. This was the second largest of such events in U.S. history, surpassed only by a 2005 breach involving retailer TJX that affected 45.7 million card users.
As a result of the breach, millions of customers who shopped at a Target “brick and mortar” store anywhere in the United States between November 27, 2013 and December 15, 2013 and paid by credit or debit card has suffered the theft of their credit and debit card information at the hands of computer hackers. Many of these customers have already reported that these hackers have made unauthorized charges using their financial data, and many more such unauthorized transactions are expected in the coming weeks and months.
Not only did Target utterly fail to live up to its duty to protect its customers’ private financial information, Target’s response to this massive security breach has been woefully inadequate. Target did not inform its customers of the breach for a full four days after discovering the hackers, and when it did report on the breach, it initially did so only on Target’s corporate website, not the commercial website frequented by Target customers. Target was so terrified of scaring off customers during the busy holiday shopping season that it failed to properly inform the millions of customers who personal financial information had been stolen as a result of Target’s own negligence.
Credit card companies require merchants to comply with Payment Card Industry (PCI) Data Security Standards as well as their own specific requirements, i.e., Visa Operating Regulations. The basic tenets of data security in the context of credit card processing are embodied in PCI Data Security Standards 1.3.5: “Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet” and 1.2: “Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.”
A massive breach of a retailer’s cardholder data environment and wide scale release of Personal Information, such as the one that affected Target during 19 of the busiest shopping days of the year, would not have occurred absent the retailer’s failure to comply with these and dozens of other Data Security Standards.
Target failed to exercise the care it owes to Plaintiffs’ and the other Class members – namely, safeguarding its cardholder data environment and securing their Personal Information.
News of the widespread data breach was first published by Brian Krebs, a security expert writing for “Krebs on Security,” an “in-depth security news and investigation” blog, on or about December 18, 2013 at 2:33 PM:
“According to sources at two different top 10 credit card issuers, the breach extends to nearly all Target locations nationwide, and involves the theft of data stored on the magnetic stripe of cards used at the stores. Minneapolis, Minn. based Target Brands Inc. has not responded to multiple requests for comment. Representatives from MasterCard and Visa also could not be immediately reached for comment. Both sources said the breach was initially thought to have extended from just after Thanksgiving 2013 to Dec. 6. But over the past few days, investigators have unearthed evidence that the breach extended at least an additional week — possibly as far as Dec. 15. According to sources, the breach affected an unknown number of Target customers who shopped at the company’s bricks-and-mortar stores during that timeframe.”
The day after Krebs broke the story, a flood of national mainstream media reports followed. By December 19, 2013, Target’s negligence was fully exposed by all of the major outlets. For example, the Associated Press wrote:
“Ken Stasiak [is] founder and CEO of Secure State, a Cleveland-based information security firm that investigates data breaches like this one… Stasiak’s theory is that the hackers were able to breach Target’s main information hub and then wrote a code that gave them access to the company’s point of sale system and all of its cash registers. That access allowed the hackers to capture the data from shoppers’ cards as they were swiped.”
CBS and Reuters reported:
“Target shoppers have been victims of a stunning theft of information on their credit and debit card accounts in recent days.The giant retailer said Thursday about 40 million credit and debit card accounts may have been impacted in U.S. stores between Nov. 27 and Dec. 15, 2013.”
Target’s response to the incident was woefully inadequate. The company claims that it learned of the breach on December 15, but Target waited until December 19 — four full days – before making any attempt to notify customers whose Personal Information was compromised. In fact, Target announced the breach after Krebs did.
Target’s website presently states:
“What was the issue?
The malware was discovered on our point-of-sale systems in our U.S. stores on December 15. At that time, we disabled the malicious code and immediately began notifying our card processors and the payment card networks.”
The breach was timed to occur during the busy holiday shopping season, a time when virtually every retailer in the United States is focused on generating as much revenue as possible. The days between Thanksgiving and Christmas comprise the period most valuable for retailers such a Target. Of such significance is this time period that the term “black Friday” was coined to describe the day after Thanksgiving as the most important shopping day of the year, when retailers’ accountants are finally able to mark entries in black ink as opposed to red.
Because the breach occurred during the holiday shopping season, Target may have been even less inclined to report it immediately insofar as they would presumably not wish to scare away potential customers during the most important shopping days of the year.
Target’s belated disclosures regarding the security breach and theft of Plaintiffs’ and the other Class Members’ Personal Information were disingenuous and incomplete. On December 19, 2013, Target finally released a statement concerning the data breach, but not one designed to notify affected customers directly. Instead, Target posted a statement on its corporate website (not on the shopping site regularly accessed by customers), confirming “that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three digit security code).” In its statement concerning the data breach, Target claimed to have “worked swiftly to resolve the incident…” and provided general advice such as “you may obtain information from the FTC and the credit reporting agencies about fraud alerts and security freezes.”
Target’s disclosure about the breach is misleading because data thieves accessed more than the “three digit security code.” Target’s reference to a three digit security code is incorrect. “CVV2” or “card verification value,” is term that Visa uses to describe the three-digit value printed on the signature panel of a payment card used to verify card not-present transactions. “Not-present” transactions are those which do not occur at retail locations.
In contrast with Target’s announcement on its corporate website, hackers obtained the information encoded on the magnetic stripe of cards known in the industry as “Magnetic Stripe Data” or “Track Data.” The data encoded in the magnetic stripe is for authorization during card-present transactions. Possession of this information is far worse than possession of CVV codes alone, for having it enables miscreants to combine all of the elements necessary to create usable counterfeit cards. According to Krebs, “The type of data stolen – also known a ‘track data’ – allows thieves to create counterfeit cards be encoding the information onto any card with a magnetic stripe.” This means that criminals are able to create “clones” of the cards that were swiped at Target stores, and use them to steal money from Plaintiffs and the Class members in a variety of ways, through fraudulent “card-present,” or “card-not-present” debit or credit transactions.
It is a violation of the terms of PCI Data Security Standard and Visa Operating Regulations to store sensitive cardholder account authentication information beyond authorization. This information consists of: magnetic stripe or “track data,” CVV2 data, or PIN data.
Target may have stored magnetic stripe or “track data,” CVV2 data, or PIN data, in violation of PCI DSS and Visa Operating Regulations. Indeed, on December 27, Target announced that debit card PINs were among the information stolen in the data breach; “a Target spokeswoman backtracked from previous statements and said criminals had made off with customers’ encrypted PIN information as well.”
In terms of “resolv[ing] the issue,” while the company may have temporarily plugged the gap in its security, the damage already done is severe. Not only are its customers presently in peril of theft of their money and identities, the losses will continue for years to come. An offer by Target’s CEO Gregg Steinhafel for a two-day ten percent discount is too little, too late.
Target failed to implement and maintain reasonable security procedures and practices appropriate to protect the nature and scope of the information stored by Target and thus such Personal Information was compromised in the data breach.
Had Target devoted sufficient money and resources to have a secure network, hackers would have been unable to exploit flaws in Target’s computer infrastructure, and unable to so easily collect customers’ credit and debit card information. Unfortunately for Plaintiffs and the Class members, Target instead chose the non-preventative approach described by Mark Rasch, a cybersecurity specialist and a former federal cybercrime prosecutor in Bethesda, Maryland: “Most merchants are content to clean up the damage from an attack, rather than pay for better preventive measures.”.
According to James Lyne, global head of security research for the computer security firm Sophos, something was obviously defective about Target’s security measures. Lyne was quoted: “Forty million cards stolen really shows a substantial security failure. This shouldn’t have happened.”
Other security experts agree. For example, Forrester analyst John Kindervag indicated that “[t]his is a breach that should’ve never happened,” adding “the fact that three-digit CVV security codes were compromised shows they were being stored. Storing CVV codes has long been banned by the card brands and the PCI [Security Standards Council].” Further, InformationWeek information security reporter Mathew Shwartz wrote: “Reached via email, a Target official declined to respond to questions about whether the retailer had stored the stolen card data in encrypted format, or whether it had been certified as PCI-compliant.” 
It has already been reported that “credit and debit card accounts stolen in [the Target data breach] have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card.” Therefore, the Personal Information of Plaintiffs and the Class members is at great risk of being sold to criminals if it has not been already.
Krebs reported that he obtained information from various bank sources who found cards issued by their respective banks for sale at underground card shops and were able to identify many of those cards as having been compromised in the Target data breach:
At least two sources at major banks said they’d heard from the credit card companies: More than a million of their cards were thought to have been compromised in the Target breach. One of those institutions noticed that one card shop in particular had recently alerted its loyal customers about a huge new batch of more than a million quality dumps that had been added to the online store. Suspecting that the advertised cache of new dumps were actually stolen in the Target breach, fraud investigators with the bank browsed this card shop’s wares and effectively bought back hundreds of the bank’s own cards. When the bank examined the common point of purchase among all the dumps it had bought from the shady card shop, it found that all of them had been used in Target stores nationwide between Nov. 27 and Dec. 15. Subsequent buys of new cards added to that same shop returned the same result.
Krebs also reported similar results from a smaller bank that had bought back twenty of its cards from a similar shop and found that one of them had been cancelled, but that the remaining nineteen “had been used by customers to make purchases at Target stores around the country between Nov. 29 and Dec. 15,” and that some of those cards “‘already ha[d] confirmed fraud on them.’” (quoting his bank source).
The seriousness of the intrusion into Target’s network and the value of the data stolen in terms of its use for nefarious activities cannot be understated, and consumers around the nation are already experiencing unauthorized transactions and theft of funds as a result of Target’s failures to safeguard and control its cardholder data environment.
Scores of scared and angry Target customers sounded off on Target’s Facebook page, describing how the data breach wreaked havoc on their financial lives during the busy holiday season, complaining of unauthorized transactions, irritation, and expense associated with cancelling cards, and expressing frustration over their inability to reach Target customer support.  Examples of actual customer comments on Target’s Facebook page, with names and faces redacted, are reproduced below:
Target’s failure to directly notify its customers affected by the data breach may have violated the provisions of Massachusetts General Laws, Chapter 93H, and in particular the reporting provisions of c. 93H, § 3, which required Target, once it knew or had reason to know of a data security breach involving personal information and affecting Massachusetts residents, to provide prompt and direct notice of such breach to any affected Massachusetts residents, to the Massachusetts attorney general, and to the director of consumer affairs and business regulation for Massachusetts. Target’s failure to provide direct notice may also have violated various other similar state statutes. See, e.g., Cal. Civ. Code § 1798.82 (California); HRS § 487N-2 (Hawaii); 815 ILCS 530/10 (Illinois); La. R.S. § 51:3074 (Louisiana); Minn. Stat. § 325E.61 (Minnesota); N.C.Gen. Stat. § 75-65 (North Carolina); R.I. Gen. Laws § 11-49.2-3 (Rhode Island); Tenn. Code Ann. § 47-18-2107 (Tennessee); and Rev. Code Wash. § 19.255.010 (Washington).
Target’s failure to keep Class members’ data secure has had and will continue to have severe and long-lasting consequences for the Class members, including Plaintiffs, because the loss of data encoded in the magnetic strip of credit and debit cards gives rise to various forms of theft and fraud:
The most common form [of identity theft] however, involves credit accounts. This occurs when an identity thief obtains either the actual credit card, the numbers associated with the account, or the information derived from the magnetic strip on the back of the card. Because it is possible to make charges through remote purchases, such as online sale or by telephone, identity thieves are often able to commit fraud even as the card remains in the consumer’s wallet.  (emphasis added).
Victims of credit card fraud have to spend considerable time and money to repair the damage caused. For example, when an identity thief opens up a new account using a victim’s personal information, that victim must correct fraudulent information in their credit reports and monitor their reports for future inaccuracies, close existing bank accounts and open new ones, and dispute charges with individual creditors.
Identity thieves create additional adverse consequences by opening unauthorized accounts, taking out loans, and stealing funds. The effects can be long-lasting and devastating: “when a stolen identity is used to apply for additional lines of credit, the victim can spend years trying to resolve bad debt run up by thieves in their names. Some struggle to borrow money because of the damage to their credit scores. Others have been forced to file bankruptcy and lose their homes.”
According to a U.S. Government Accountability Office study regarding data breaches “stolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years. As a result, studies that attempt to measure the harm resulting from data breaches cannot necessarily rule out all future harm.” The pilfered credit card data in this case reached the global marketplace rapidly.
Victims of the Target data breach who take the preventative measures of cancelling their cards will experience delays in accessing their funds while they wait for replacement cards to arrive.
Plaintiffs and the Classes now face years of constant surveillance of their financial and personal records, in addition to emotional distress and financial losses they have incurred, or will incur.
 Bloomberg. Target Corp (TGT:New York), retrieved from http://investing.businessweek.com/research/stocks/people/person.asp?personId=174446&ticker=TGT on December 24, 2013.
 Payment Card Industry Standards Council. Payment Card Industry (PCI) Data Security Standards, ROC Reporting Instructions for PCI DSS v2.0. September 2011, retrieved from https://www.pcisecuritystandards.org/documents/PCI_DSS_2.0_ROC_Reporting_Instructions.pdf on December 24, 2013.
 Krebs, Brian. Sources: Target Investigating Data Breach. December 13, 2012, retrieved from http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/ on December 23, 2013.
 Associated Press. Answers to Questions about the Target data breach. December 19, 2013, retrieved from http://www.washingtonpost.com/business/technology/answers-to-questions-about-the-target-data- breach/2013/12/19/bde98d30-68d4-11e3-997b-9213b17dac97_story.html on December 23, 2013.
 CBS/Reuters. Target confirms massive credit, debit card data breach. December 19, 2012, retrieved from http://www.cbsnews.com/news/target-confirms-massive-credit-debit-card-data-breach/ on December 23, 2013.
 Target.com. payment card issue FAQ, December 22, 2013, accessed from https://corporate.target.com/about/shopping-experience/payment-card-issue-FAQ#q5881 on December 24, 2013.
 Steinhafel, Gregg. A message from CEO Gregg Steinhafel about Target’s payment card issues. December 19, 2013, accessed from https://corporate.target.com/discover/article/Important-Notice-Unauthorized-access-to-payment-ca on December 19, 2013.
 Krebs, Brian. Sources: Target Investigating Data Breach. December 13, 2013, retrieved from http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/ on December 23, 2013.
 Visa. Visa Cardholder Information Security Program Prohibited Data Retention Attestation, retrieved from usa.visa.com/download/merchants/pdra_form_dec2006.doc on December 25, 2013.
 Perloth, Nicole. Target’s Nightmare Goes On: Encrypted PIN Data Stolen. December 27, 2013, retrieved from http://bits.blogs.nytimes.com/2013/12/27/targets-nightmare-goes-on-encrypted-pin-data-stolen on December 28, 2013.
 Steinhafel, Greg. A Message from CEO Gregg Steinhafel about Target’s Payment Card Issues. December 20, 2013, retrieved from http://www.abullseyeview.com/2013/12/ceomessage/ on December 24, 2013 (“We’re in this together, and in that spirit, we are extending a 10% discount – the same amount our team members receive – to guests who shop in U.S. stores on Dec. 21 and 22”).
 Anderson, Craig. Identity theft growing, costly to victims. April 13, 2013, retrieved from http://www.usatoday.com/story/money/personalfinance/2013/04/14/identity-theft-growing/2082179/ on December 24, 2013.
 Associated Press. Answers to Questions about the Target data breach. December 19, 2013, retrieved from http://www.washingtonpost.com/business/technology/answers-to-questions-about-the-target-data-breach/2013/12/19/bde98d30-68d4-11e3-997b-9213b17dac97_story.html on December 23, 2013.
 Schwartz, Mathew. Target Breach: 10 Facts. January 21, 2013, retrieved from http://www.informationweek.com/security/attacks-and-breaches/target-breach-10-facts/d/d-id/1113228 on December 25, 2013.
 Krebs, Brian. Cards Stolen in Target Breach Flood Underground Markets. December 20, 2013, retrieved from http://krebsonsecurity.com/2013/12/cards-stolen-in-target-breach-flood-underground-markets/ on December 24, 2013.
 Anderson, Craig. Identity theft growing, costly to victims. April 13, 2013, retrieved from http://www.usatoday.com/story/money/personalfinance/2013/04/14/identity-theft-growing/2082179/ on December 24, 2013.
 Government Accounting Office. Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown. June 2007, retrieved from http://www.gao.gov/assets/270/262904.html on January 24, 2013.
 Krebs, Brian. Who’s Selling Credit Cards From Target? December 20, 2013, retrieved from http://krebsonsecurity.com/2013/12/whos-selling-credit-cards-from-target/ on December 25, 2013.
Original post – December 20, 2013:
Overview of the Target Data Breach
Hackers reportedly accessed private data of Target shoppers from the day before Thanksgiving, 2013 until December 15, 2013. As many as 40 million consumers’ personal and financial information may have been compromised, making this possibly the second largest data breach case in U.S. history.
Target is the 2nd largest discount retailer in the United States. Target is ranked 36th on the Fortune 500 list of top US companies. 8 million Americans regularly shop at Target stores. James Lyne, global head of security research for the computer security firm Sophos, says something clearly went wrong with Target’s security measures: “Forty million cards stolen really shows a substantial security failure. This shouldn’t have happened.”
The following data was compromised:
Consumers may experience unauthorized transactions (including cash withdrawals and transfers) and identitity theft as a result of this kind of data breach.
To determine whether you been affected, it is recommended that you (1) search your bank statements for inappropriate transactions; (2) be on the lookout for signs of identity theft.
If you shopped at Target with a credit or debit card from the day before Thanksgiving to December 15, 2013, you are invited to contact us. We are currently interviewing potential clients in this is matter.
Is Target at Fault for Permitting the Data Breach?
The data breach reportedly affected approximately 40 million credit and debit cards swiped at U.S. Target stores between November 27 and December 15, 2013. News of the data breach was first published by a blogger on or about December 18, 2013, before Target made any attempt whatsoever to notify affected customers. As widely reported by multiple news services on December 19, 2013, investigators believe the data was obtained via software installed on machines that customers use to swipe magnetic strips on their cards when paying for merchandise at Target stores. According to Krebs, “The type of data stolen — also known as ‘track data’ — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe.” The thieves may also have accessed PIN numbers for affected customers’ debit cards, allowing the thieves to withdraw money from those customers’ bank accounts. Allegedly, data thieves could not have accessed this information and installed the software on Target’s point-of-sale machines but for Target’s flawed network and data security. Target may have failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach.
As this news broke, Target finally released a message from CEO Gregg Steinhafel about Target’s payment card issues concerning the data breach, but not one designed to notify affected customers directly. Rather, Target posted a statement on its corporate website (not on the shopping site regularly accessed by customers) on December 19, 2013, confirming “that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code).”
Will Unauthorized Charges Occur As a Result of the Target Date Breach?
According to the source that broke the Target data breach story, Brian Krebs, “Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card.” See Cards Stolen in Target Breach Flood Underground Markets.
Will Identity Theft Occur As a Result of the Target Data Breach?
The information the hackers took, assuming it includes personal identifying information and other financial information, is “as good as gold” to identity thieves, in the words of the Federal Trade Commission (“FTC”). Identity theft occurs when someone uses another’s personal identifying information, such as that person’s name, address, credit card number, credit card expiration dates, and other information, without permission, to commit fraud or other crimes. The FTC estimates that as many as 9 million Americans have their identities stolen each year. Identity thieves can use identifying data to open new financial accounts and incur charges in another person’s name, take out loans in another person’s name, incur charges on existing accounts, or clone ATM, debit, or credit cards. Identity thieves can use personal information such as that pertaining to the Class, which Target allegedly failed to keep secure to perpetrate a variety of crimes that do not cause financial loss, but nonetheless harm the victims. For instance, identity thieves may commit various types of government fraud such as: immigration fraud; obtaining a driver’s license or identification card in the victim’s name but with another’s picture; using the victim’s information to obtain government benefits; or filing a fraudulent tax return using the victim’s information to obtain a fraudulent refund. In addition, identity thieves may get medical services using the stolen information or commit any number of other frauds, such as obtaining a job, procuring housing, or even giving false information to police during an arrest. Annual monetary losses from identity theft are in the billions of dollars. According to a Presidential Report on identity theft produced in 2008: In addition to the losses that result when identity thieves fraudulently open accounts or misuse existing accounts, individual victims often suffer indirect financial costs, including the costs incurred in both civil litigation initiated by creditors and in overcoming the many obstacles they face in obtaining or retaining credit.
Victims of non-financial identity theft, for example, health-related or criminal record fraud, face other types of harm and frustration. In addition to out-of-pocket expenses that can reach thousands of dollars for the victims of new account identity theft, and the emotional toll identity theft can take, some victims have to spend what can be a considerable amount of time to repair the damage caused by the identity thieves. Victims of new account identity theft, for example, must correct fraudulent information in their credit reports and monitor their reports for future inaccuracies, close existing bank accounts and open new ones, and dispute charges with individual creditors. According to the U.S. Government Accountability Office (“GAO”), which conducted a study regarding data breaches: [L]aw enforcement officials told us that in some cases, stolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years. As a result, studies that attempt to measure the harm resulting from data breaches cannot necessarily rule out all future harm.
The victims of the Target data theft may now face years of constant surveillance of their financial and personal records, monitoring, and other losses. Although Target did not invite hackers to infiltrate its systems and steal personal and financial data, the company should have done a better job to prevent the intrusion.
- Target security breach affects up to 40M cards (Boston Herald)
- Answers to questions about the Target data breach (Boston Herald)
- Target Inevitably Loses Shoppers In Wake Of Data Breach (Huffington Post)
- One quarter of data breach victims suffer identity theft (itproportal.com)
- Hackers are trying to use credit cards stolen from Target (techi.com)
- Target confirms encrypted PINs stolen in data breach (nbcnews.com)
- How Did Hackers Breach Target’s Security Net? (abcnews.go.com)
- 5 lessons learned from Target security breach (today.com)
- Details emerge on Target data breach (bizjournals.com)
- Credit cards stolen in Target breach now being sold on black market — buy one for $20-$100… Bitcoin accepted too! (bgr.com)