Could Target Data Breach Be Just the Tip of the Iceberg?

Information about the massive Target data breach gets uglier by the day.

The Wall Street Journal reported:

The holiday data breach at Target Corp. appeared to be part of a broad and highly sophisticated international hacking campaign against multiple retailers, according to a report prepared by federal and private investigators that was sent to financial-services companies and retailers.

The Journal also said:

ISight and DHS declined to name other companies that fell victim to the attack. But former U.S. officials and people close to the investigation said it isn’t limited to Target.

Now there’s a new report from Reuters:

A cybercrime firm says it has uncovered at least six ongoing attacks at U.S. merchants whose credit card processing systems are infected with the same type of malicious software used to steal data from Target Corp.

Just to refresh your memory: First, Target announced that the debit and credit card information of 40 million customers who shopped at Target stores between Nov. 27 and Dec. 15 was compromised. Then it said the personal information – like names, addresses, phone numbers and email addresses — of 70 million customers had also been taken.

Then Neiman Marcus said it too had a data breach, although it won’t reveal details. “The luxury retailer said there is no indication its security breach, which also involved malware, was related to Target’s,” the Journal says.

Both Target and Neiman Marcus are offering free credit monitoring to customers for a year. (A Forbes writer said she got an email from Target notifying her that her personal information may have been taken — even though she hasn’t shopped at Target in 10 years.)

The fallout continues.

  • Citi says it’s replacing debit cards that were involved in the Target breach.
  • JPMorgan Chase is replacing both credit and debit cards.
  • Bank of America and Wells Fargo “told me that they’re relying on their standard practices to monitor customers’ accounts to detect fraud but have no plans to replace debit cards as Chase and Citi have done,” wrote Mark Calvey in San Francisco Business Times.

Meanwhile, more details have emerged about how Target could have been infiltrated. You can read the long version on the highly respected Krebs on Security blog. Paula Rosenblum blessedly simplified it in a Forbes post called “Target Data Breach Is Becoming a Nightmare”:

Long story short, the hackers convinced Target firewalls that they were “good guys.” And once they’d done that, they continued to roam freely around Target’s system. They’ve found data old and new and will use it the way they choose.

The malware apparently stole payment information at the point of sale before it could be encrypted.

In the absence of knowing how widespread the data breach really is, I’d suggest vigilance.

  • Monitor your credit card and banks accounts. You won’t be liable for fraudulent purchases, but if your debit card has been compromised, a crook could have access to your bank account. That could make life very unpleasant until the bank restores your funds.
  • Keep an eye on your credit reports for suspicious activity.
  • If you think your payment information was stolen in the Target or Neiman Marcus attacks, tell your bank you want a new credit or debit card.
  • Target customers should be on the lookout for phishing attempts.

Rosenblum said banks have been too slow to act, particularly once it was known that hackers had not only payment information from Target but personal information too.

It’s no longer adequate to just change the PIN numbers. Now, it’s a do-over. I think [issuing new cards] was a wise move. As I’ve mentioned before, I’m frankly pretty befuddled that the entire ecosystem did not move faster to replace cards, change PIN numbers … whatever it took to keep us all safe.

Sign up for our free newsletter

Like this article? Sign up for our newsletter and we'll send you a regular digest of our newest stories, full of money saving tips and advice, free! We'll also email you a PDF of Stacy Johnson's "205 Ways to Save Money" as soon as you've subscribed. It's full of great tips that'll help you save a ton of extra cash. It doesn't cost a dime, so why wait? Click here to sign up now.

Check out our hottest deals!

We're always adding new deals and coupons that'll save you big bucks. See the deals to the right and hundreds more in our Deals section.

Click here to explore 1,057 more deals!

Comments & discussion

We welcome your opinions, but let’s keep it civil. Like many businesses, we reserve the right to refuse service to anyone. In our case, that means those who communicate by name-calling, racism, using words designed to hurt others or generally acting like an uninformed bully. Also, comments that include links to email addresses or commercial websites typically aren't posted. This isn't a place to advertise your business.

  • Medicine-is-My-Game

    Wow. I wonder how far back it really goes?

  • bigpinch

    My wife got an apology email, claiming to be from Target, offering free credit monitoring for a year. Thing is, the only time she’s been to Target in at least ten years is when I took her to a newly opened mega store in Pflugerville, Texas, and that was more than a year ago. We can’t remember if she used a check or a jointly owned credit card to make the purchase. We don’t use debit cards (an invention of the Devil), and if it was a credit card it was one that has since been replaced because hackers had gotten the old credit card number and personal info when they robbed an on-line ticket sales business. I use the term “robbed” because that’s what it is. “Hacked” sounds a little too innocuous.
    Anyway, I haven’t yet moved on the credit monitoring invitation because I’m not sure that the email isn’t a phishing scam and because I’m not confident that her information for the free credit monitoring, given to Target, wouldn’t be robbed again.
    Isn’t it interesting that with all we’ve learned about how the government has been snooping on our personal communications, through the NSA, somehow nobody seems able to get a lead on these so-called hackers?