The Breach that Spoiled Christmas

Trouble stalks the land of milk and honey. Hackers and identity thieves prowl amid the flocks of shoppers like hyenas this busy Christmas season, picking off their prey. Thus, it seems I “purchased” a $241 Michael Koors handbag from Macy’s for someone in McAllen, Texas. It likely ended as Ebay NWT (new with tags). But that was just the beginning.

“FWD: IMPORTANT INFORMATION FROM TARGET: 
Dear Guest,
We wanted to make you aware of unauthorized access to Target payment card data. The unauthorized access may impact guests who made credit or debit card purchases in our U.S. stores from Nov. 27 to Dec. 15, 2013…We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV.”

Whoops…not supposed to be storing that CVV! Was this a database breach or a wiretap? The security folks at Target aren’t amateurs; this suggests either a highly sophisticated outside attacker and/or an insider may have been involved.

Then I looked at the dates. Oh heck, I was just shopping at Target myself. Was that how someone got my number for the Michael Koors handbag?

Fortunately, a credit card activity report download proved I’d been shopping at Target on November 16, well before the reported dates of the breach. Guess mine happened somewhere else…

But others aren’t so lucky. On Saturday, December 21 JP Morgan Chase began limiting daily cash withdrawals to $100 and putting on a $300 daily purchasing cap for debit card holders breached at Target. What if that was your only card and you hadn’t done your Christmas shopping and there’s only a few days left to shop? Then who would you call the Grinch that stole Christmas?

References:

CNBC: Weak U.S. Card Security Made Target a Juicy Target
Krebs Online: Cards Stolen in Target Breach Flood Underground Markets

American Banker: Target Breach Sends Chills: Is Any Merchant Safe, Even with EMV?