The Breach that Spoiled Christmas
“FWD: IMPORTANT INFORMATION FROM TARGET:
We wanted to make you aware of unauthorized access to Target payment card data. The unauthorized access may impact guests who made credit or debit card purchases in our U.S. stores from Nov. 27 to Dec. 15, 2013…We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV.”
Whoops…not supposed to be storing that CVV! Was this a database breach or a wiretap? The security folks at Target aren’t amateurs; this suggests either a highly sophisticated outside attacker and/or an insider may have been involved.
Then I looked at the dates. Oh heck, I was just shopping at Target myself. Was that how someone got my number for the Michael Koors handbag?
Fortunately, a credit card activity report download proved I’d been shopping at Target on November 16, well before the reported dates of the breach. Guess mine happened somewhere else…
But others aren’t so lucky. On Saturday, December 21 JP Morgan Chase began limiting daily cash withdrawals to $100 and putting on a $300 daily purchasing cap for debit card holders breached at Target. What if that was your only card and you hadn’t done your Christmas shopping and there’s only a few days left to shop? Then who would you call the Grinch that stole Christmas?
CNBC: Weak U.S. Card Security Made Target a Juicy Target
Krebs Online: Cards Stolen in Target Breach Flood Underground Markets