UPDATE – TJX and Heartland Payment Systems may soon have company atop the list of the worst retail data breaches in U.S. history after reports surfaced that Target Corp. was breached around Black Friday and millions of credit and debit cards were stolen.
Target confirmed the breach this morning and in a statement said 40 million credit and debit cards were accessed starting the day before Thanksgiving and that hackers had access to the company’s systems until Dec. 15. Target said the issue has been resolved and the company is working with law enforcement and had hired a forensics firm to help with the investigation. It is also working with financial services organizations and credit card companies in order to notify affected customers.
“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” said Gregg Steinhafel, Target chairman, president and chief executive officer. “We take this matter very seriously and are working with law enforcement to bring those responsible to justice.”
Krebs on Security reported Wednesday afternoon that the breach began on or around Nov. 29, Black Friday, the kickoff to the Christmas shopping season and could have lasted as long as Dec. 15. The Wall Street Journal also reported on the breach, corroborating many of the same facts.
The breach affects only those customers who shopped at physical Target locations, and sources told blogger Brian Krebs that nearly all Target locations in the U.S. could be involved. Online shoppers at Target.com were not impacted, sources said.
Few details are available, but it appears the hackers made off with track data, or personal information stored on the magnetic strips on credit cards. It’s unclear whether PIN numbers were stolen as well, but if they were, ATM cards could be replicated and used to withdraw money.
Sources told Krebs that the breach could be among the largest retail breaches in U.S. history.
More than 45 million credit cards were stolen in the TJX hack; in 2010 Albert Gonzalez of Miami was sentenced to 20 years in prison for his orchestration of the breach. He was also sentenced in the Heartland Payment Systems breach which involved tens of millions more credit card numbers stolen from a number of retailers.
The TJX hack is the poster child of retail data breaches. Gonzalez’s ring was on the TJX network for as long as two years and affected customers who shopped in any of TJX Company’s retail operations going as far back as 2003 until December 2006.
This article was updated at 7 a.m. with comments from Target Corp., and clarifications throughout.