Hackers have successfully stolen 40 million credit and debit cards from retail giant Target.
The retailer confirmed Thursday that the massive data breach, which occurred between November 27 and December 15, resulted in attackers gaining "unauthorized access" to customers' names, credit or debit card numbers, card expiration dates, and three-digit CVV security codes. That information is all that criminals would need to make fraudulent transactions online or create working, counterfeit cards in the names of customers -- or in Target's marketing-ese, "guests."
"Target today confirmed it is aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its US stores," according to a statement released Thursday by Target. "Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue."
Target said it had immediately notified law enforcement agencies as soon as it discovered the breach, and that it planned to hire a third-party digital forensics firm to investigate the breach and recommend information security improvements.
"Target's first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause," said Gregg Steinhafel, Target's president and CEO, in a statement. "We take this matter very seriously and are working with law enforcement to bring those responsible to justice."
The attack appears to have been timed to take advantage of the busiest shopping day of the year, Black Friday, which this year fell on November 29. But the heist was likely planned far in advance. "Due to the size and scale, this seems like it would have been a planned attack that began well before Black Friday," said Matt Standart, HBGary's threat intelligence director, via email. "To be successful, the adversary would have performed detailed reconnaissance and other activities in preparation for their primary mission objective. This would have required infrastructure compromise, entrenchment, command and control, and privileged access, all of which take time and effort."
Targeting the holiday shopping period -- and especially Black Friday -- was an astute move on the part of attackers, he added. For starters, they could have amassed the maximum possible amount of card data before being detected. In addition, the volume of sales, and resulting load on Target's IT infrastructure, might have served as "a distraction to give more operational security to the adversary," Standart said.