Data breach at Target; 40 million customers at risk

(WMC-TV) - Data security sources said Target may have violated payment card industry standards in a data breach that potentially compromised 40 million customers.

According to Target's web alert, the breach may affect any card-using customer who shopped the Minneapolis-based chain's stores nationwide between Nov. 27 and Dec. 15. It does not include online purchases.

The alert revealed the breach may have exposed customers' names, credit/debit card numbers, expiration dates and CVV codes. Those are the 3-digit "card verification value" codes, typically marked on the back of the cards.

"Really, the CVV information is not supposed to be stored at all," said Jeff Horton, CEO of Germantown, TN-based One Point Solutions Group, an Internet data security firm.

According to the payment card industry's standard site, retailers are expected to "...not store sensitive authentication data contained in the payment card's storage chip or full magnetic stripe, including the printed 3-4 digit card validation code...after authorization."

"You put (the validation code and card number) together, and you can authorize charges that way, so it's a big no-no to store all that information together," Horton said.

Store spokesperson Eric Hausman insisted the breach had nothing to do with how Target stores customers' information.

"That's not the issue here," Hausman said. "The unauthorized access of customer information happened at the point of the swipe. We're still investigating whether customers' 3-digit codes were actually compromised."

Horton said if that's accurate, then someone -- or some group -- had to steal the information directly from Target's "point-of-sale terminals": the cash registers.

"They would've had to hack into the software that controls those point-of-sale terminals and do it on a mass scale, so across the entire country...not just one point-of-sale terminal, but lots of them," he said.

The U.S. Secret Service is leading the criminal investigation of the breach. Special Agent Brian Leary said the agency would not comment on an on-going investigation.

"We are partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident and to examine additional measures we can take that would be designed to help prevent incidents of this kind in the future," said Target in its web alert.

Target customers who fear their information was compromised:

* CHECK YOUR DEBIT/CREDIT CARD STATEMENTS. Look for any unusual or unauthorized charges.

* CHECK YOUR CREDIT REPORT FOR UNAUTHORIZED ACTIVITY. Only use AnnualCreditReport.com to pull a free annual credit report from each of the three credit bureaus (Experian, EquiFax, TransUnion). Consider adding a fraud alert to your credit report if there is evidence of tampering with your credit identity.

* IF YOU DISCOVER UNAUTHORIZED CHARGES, CALL YOUR BANK FIRST, YOUR CREDIT CARD COMPANIES SECOND. CALL THE LOCAL LAW ENFORCEMENT AUTHORITY WHERE YOU LIVE IF EITHER YOUR BANK OR YOUR CREDIT CARD COMPANY REQUIRES A POLICE REPORT.

* USE CASH OR CREDIT CARDS ONLY IN FUTURE PURCHASES. Credit cards, unlike debit cards, have built-in insurance features. By federal law, you are never liable for more than $50 of any disputed credit card charge, and most credit cards now offer zero liability.

* IGNORE UNSOLICITED CALLS FROM PEOPLE CLAIMING TO BE FROM TARGET. Target personnel will not contact customers directly in this case. Any calls will be from impostors trying to use the breach to steal your personal information.

(Sources:  Andy, The Better Business Bureau of the Mid-South)

Copyright 2013 WMC-TV. All rights reserved.