Today, Target confirmed that hackers breached the retailer's system, stealing the information for tens of millions of credit cards — both Target cards, and those from other issuers.
"Approximately 40 million credit and debit card accounts may have been impacted," the retailer said in a statement on its website. The breach started the day before Thanksgiving, and continued through December 15, right in the thick of the holiday rush.
This means, at least theoretically, that hackers could make a whole bunch of counterfeit credit and debit cards by encoding the stolen "track data" on any magnetic stripe, says Krebs on Security, which broke the story. Depending on whether the thieves also nabbed PINs or other data, they may be able to use the cards to make purchases and even withdraw money from ATMs.
If 40 million credit and debit cards sounds like a lot, it is; but it's no record breaker. In 2009, cyber-criminals hacked Heartland Payment Systems, a credit card processor, and stole data for 130 million cards. Here's The Wall Street Journal on the modern history of mass credit card theft:
One of the biggest incidents to hit the industry took place in 2007, when thieves stole card numbers and personal data on up to 90 million cards belonging to people who had shopped at stores owned by TJX, parent of T.J. Maxx, HomeGoods and other discount chains.
In July, federal prosecutors unsealed criminal charges in an ongoing investigation of a group of people believed to have stolen more than 160 million credit and debit card numbers from companies including J.C. Penney Co., 7-Eleven, Nasdaq OMX Group, JetBlue Inc. and others over several years. [The Wall Street Journal]
Okay. But how does someone collect information for 40 million — or 160 million! — credit cards without being detected? In the Target hack case, it was not by infiltrating Target.com from the safety of the hackers' dark basements, it seems. This hack appears to affect those shopping at nearly every brick-and-mortar Target location throughout the nation, without impacting those online.
This means hackers had to hit the point-of-sale systems — the hardware and software the retailer uses at the checkout line to process credit cards and record sales. "As shoppers swiped or punched in their numbers on the checkout keypad, the hackers copied every single number," reports Slate.
Of course, this doesn't mean the baddies hoofed it to over 1,800 Target locations in the U.S. and Canada. Rather, according to security experts, someone inside the company would have had to insert the malware on a Target machine, says The New York Times.
The other possibility is that a hacker "persuaded an unsuspecting employee to click on a malicious link that downloaded malware that gives cyber criminals a foothold into a company's point-of-sale systems," says the Times.
In which case, the moral is don't click on emailed links from strangers. Especially not at work.