Target confirms security breach, shares tumble (updated)

It’s every shopper and retailer’s nightmare just ahead of the holidays, to find out customer name, credit or debit card number, and the expiration date plus three-digit security code of their cards are all potentially part of the data breach from hackers.

But that’s what has happened for shopper’s at Target during the busiest time of the year — pre-Thanksgiving through Black Friday out to Dec. 15.

Target sent a letter to its customers explaining the unauthorized access to its payment data, apologizing for any inconvenience the breach might cause.

“The privacy and protection of our guests’ information is a matter we take very seriously and we have worked swiftly to resolve the incident. We began investigating the incident as soon as we learned of it.,” Target noted in the letter.

The retail giant said it’s partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident and to examine additional measures we can take that would be designed to help prevent incidents of this kind in the future.

Target said it also alerted authorities and financial institutions immediately after the breach was discovered and confirmed the unauthorized access.

“We are putting our full resources behind these efforts,” Target said.


The breach affects some 40 million credit and debit card accounts used during the two-week period at Target Stores across the U.S.

Target said it has resolved the threat so that its consumers can shop with confidence.

But the retailer urges anyone who shopped at Target between Nov. 27 and Dec. 15, paying with credit or debit cards should monitor those accounts very closely as well as order a copy of their credit report, which can be done once a year for free.

Target has not revealed exactly what happened to cause the unauthorized access but it is believed that the theft may have occurred through software installed at machines customers use to swipe their cards when paying.

Spokeswoman Molly Snyder said the company has been reaching out to customers via emails and social media with the news of the breach.

“This is a sophisticated crime,” she said, declining to be more specific. The intrusion didn’t affect Target.com or its Canada operations, she said.

Cyber security veteran Jim Stickley of TraceSecurity said because the criminals in this case have managed to capture the credit card “track” information, they could have access to more than just the credit card number.

“This changes everything,” Stickley said. “This breach gives criminals not only the credit card number, holder name and expiration date, but in some cases they could also have access to the pin and card code. With this data, they can basically make their own credit cards, exactly as the owner has them … and then go shopping. What’s worse is if they do gain access to the card code, they can remain completely anonymous by shopping online.”

It's unclear just how much this security breach will cost Target but the largest hacker invasion which occurred in 2007, cost TJX, parent of TJ Maxx, Marshall's and Home Goods, some $256 million. The TJX breach affected roughly 100 million consumers and dinged the company's earnings some 25 cents a share.

“The most important thing in such crisis management is maintaining customer trust and therefore longer-term loyalty,” said Greg Melich, analyst with ISI Group. He said the disruption and uncertainty hung for months over TJX after the security breach, putting significant pressure on the stock.

Target shares slid more than 2% Thursday (Dec. 19) to close at $62.15, while the broader markets traded higher.

Analysts said while this search for the truth is happening, the issue damages the trust Target has gained. 

Brian Sozzi, CEO of Belus Capital Advisors said more importantly it calls into question how sales will trend in January.