Over the course of 19 days, beginning on the day before Thanksgiving, hackers obtained personally identifiable information, including credit card numbers and security codes, from 40 million shoppers at some 1,800 Target stores in the United States. It was one of the largest, speediest and most sophisticated retail-data thefts ever.
The largest retail data theft was in 2007 at T.J. Maxx and Marshalls (both are owned by The TJX Companies, Inc.). It involved the theft of data from 90 million credit cards over the course of 18 months. The thieves obtained the data by hacking into the company's back-office computer system. In contrast, investigators believe the Target thieves used a technique called "skimming," which required them to implant a small chip or software application into the credit-and debit-card magnetic stripe readers attached to each store's cash registers. Who implanted the chips or software — and how they did it — are the big questions facing investigators.
Over the weekend, Target offered its customers a 10% discount in its U.S. stores and free credit monitoring to at-risk customers. That was not nearly enough to keep everyone happy. Target customers already have filed nationwide class-action lawsuits against the company. State attorneys general are investigating Target to determine when Target realized there was a security issue and how quickly it responded. JPMorgan Chase announced that customers who used its debit cards during the breach period would be limited to daily withdrawals of $100 and daily purchases of $300.
The incident highlights the importance of using physical safeguards to protect customers' personally identifiable information against theft.