Target data breach sets off alarms

Hackers targeted credit card transactions at Target. Above, a Target store in Somerville on Black Friday.
Aram Boghosian for The Boston Globe
Hackers targeted credit card transactions at Target. Above, a Target store in Somerville on Black Friday.

The giant retailer Target is facing a maelstrom of criticism and regulatory scrutiny following its acknowledgment Thursday that credit and debit card information from as many as 40 million customer accounts was stolen at the height of the holiday shopping season.

It was one of the largest data breaches in US history, and frustrated Target Corp. customers sounded off on social networks, blogs, and online comment pages, as well as in conversations in offices, coffee shops, and malls across the country. Twitter buzzed with anger and disbelief packed into 140 characters.

“Gotta call 5 different banks/credit card companies,” one tweeter lamented. “Grr,” concluded another.


Eric Hill, 45, of Newton, who shopped at Target recently, said the theft “blows me away” and has him thinking that using cash might be safer.

Get Today's Headlines in your inbox:
The day's top stories delivered every morning.
Thank you for signing up! Sign up for more newsletters here

“Ninety-five percent of my transactions are on credit card,” he said. “This has me rethinking that.”

It is unclear how many Massachusetts customers are affected by the breach, but 36 of Target’s 1,800 stores are in the state.

Aram Boghosian for The Boston Globe
Harvard student Jenni Ting paid for items at the Somerville Target on Black Friday. The data breach comes at a critical time: during holiday shopping.

Target said financial data were stolen between Nov. 27 and Dec. 15, a period that included Black Friday, one of the busiest shopping days of the year.

State regulators from both the Office of the Attorney General and the Office of Consumer Affairs and Business Regulation said they had contacted Target to find out details of the breach.


Under state law, Target must notify the officials about how many Massachusetts customers are affected, but it had yet to do that Thursday, a Consumer Affairs spokeswoman said.

Attorney General Martha Coakley said her office will work with regulators in other states “to determine whether the company had proper safeguards in place to protect consumer information.”

Customers who shopped at Target during the period could be at risk of having their cards used fraudulently for months to come and should closely monitor their bills for the next two years or request new accounts, Coakley advised.

Some banks are already issuing new cards to customers.

So far, Target has offered scant details on how hackers were able to infiltrate and grab the customer data.


The Minneapolis-based retailer, however, tried to reassure customers wrapping up their Christmas shopping that credit card transactions will be safe. It has hired a forensics firm to investigate and prevent future breaches.

“It’s an ongoing investigation,” said Jessica Carlson, a spokeswoman for the retailer, who acknowledged that Target has been flooded with customer calls. “People should shop with confidence at our stores.”

The breach compromised the financial data of customers who made purchases by swiping cards at terminals in Target’s US stores, exposing their names, credit and debit card numbers, card expiration dates, and three-digit security codes on the backs of the cards. The data were stolen from Target brand cards issued by TD Bank, as well as from major card brands such as Visa and MasterCard. Online purchases were not involved.

The scale of the breach stunned consumer advocates and security experts, raising questions about the strength of Target’s data protection and whether the chain followed industry standards. Specialists said it is surprising that the compromised data included the three-digit security code.

Merchants aren’t supposed to hold that data after a purchase is authorized, said John Kindervag, a credit card expert with Forrester Research Inc., a global advisory firm with offices in Boston.

The cyberthieves seemed to have penetrated the chain’s point-of-sale systems and cash registers where customers swipe credit cards, security specialists said. Once a card is swiped, the information usually flows into a central database: It is supposed to be tightly controlled and information stored there should be encrypted, said Julie Conroy, a research director for Aite Group, a Boston financial services research firm.

Some specialists speculated that cybercriminals introduced malicious software by getting an unsuspecting employee to click on an infected e-mail or found a weakness in the computers system’s security. Others said it could have been an inside job.

Data breaches, however, are far from uncommon. In 2007, cybercriminals broke into the computer system of TJX Cos. and stole up to 94 million customer credit and debit card numbers. TJX operates TJ Maxx and Marshall’s stores.

That breach was estimated to have cost the Framingham company about $200 million.

While businesses have spent millions to protect sensitive data in recent years, specialists said, malicious software has grown more complex as underground syndicates trade secrets and sell the software needed to execute attacks.

“The community of criminal hackers that focus on swiping credit cards is vast and global,” said Nick Levay, chief security officer of Bit9 Inc., a Waltham cybersecurity company.

The breach is likely to damage Target’s reputation during a critical period and could ultimately cost the company at least $100 million in legal and other costs. Kindervag said.

“There’s nothing that can happen to you as dangerous as a credit card breach,” he said.

Some customers weren’t deterred. Taylor Minore, 24, shopping at the Target in the South Bay Center in Dorchester, said financial fraud is just a risk of using credit cards.

The breach “makes you aware for five minutes,” Minore said. “But it’s just more convenient to use cards.”

Globe correspondent Emily Overholt, and Michael Farrell and Hiawatha Bray of the Globe staff contributed to this report. Deirdre Fernandes can be reached at