So a cyber Grinch stole your card at Target? Here's what to do.

Target reports that as many as 40 million customer credit and debit card numbers were stolen since the day after Black Friday. Advice from experts: Check credit cards and, especially, debit cards immediately for fraudulent purchases.

Steven Senne/AP
A woman pushes a shopping cart (r.) while departing a Target store on Thursday in Watertown, Mass. Target says about 40 million credit card and debit card accounts of customers may have been affected by a data breach that occurred just as the holiday shopping season shifted into high gear.

American consumers woke up to a post-shopping scare Thursday, as the US mass retailer Target reported the cybertheft of as many as 40 million credit and debit card numbers of its customers at the height of the Christmas shopping season, starting around Black Friday.

The Target heist is the second largest, after the TJ Maxx cybercrime that exposed at least 100 million cards in 2007, but it is shaping up to be the most audacious in the checkered history of card fraud, taking place during the top shopping weeks of the 2013 Christmas season. The theft ring apparently intercepted credit card information, including card expiration dates and the CVV security numbers on the back.

Credit card companies say they are on the case to ensure that customers don’t have their accounts breached. But security experts say consumers themselves need to check, immediately, any credit card accounts they've used at Target stores to see if the cards have been used by the Target fraudsters to make fraudulent purchases.  

Given the dynamics of this case, the stolen data could be used to duplicate debit cards, for example, and to gain access to consumers' checking accounts. It also opens the door to identity theft.

“These are organized criminals that have got their sights set on getting hold of card data so they can take over accounts. So first you need to check and see if the Grinch has done that,” says Tom Field, a vice president at Information Security Media Group in Princeton, N.J.

“The first thing to do is check your accounts to make sure there’s nothing there you don’t recognize," he says. "Quite often, fraudsters will do a test run on a card, a small transaction to make sure it works, and then do something bigger. So go in there and make sure you did buy that cup of coffee.”

Mastercard is reporting that it has spotted nine fraud alerts that appear to be connected to the Target theft. Other card issuers suggest that, so far, only a small number of cardholders have been targeted for fraud.

"Perhaps the fraudsters are selling this info by card type," one credit card executive tells Tracy Kitten of "I hear from contacts at a processor that activity indicates that they might be going BIN [bank identification number] by BIN. We haven't seen a spike in volume yet, but we are monitoring."

The Secret Service is investigating how on earth thieves took information across the big-box retailer’s 1,727 stores in the US between Nov. 27 and Dec. 15, and Target says it has “resolved” the issue so that no more data can be stolen.

"Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts," the company said in a statement. "Among other actions, Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident."

But Target shoppers are still left with a sour question only a week from Christmas: Now what?

First, vigilant consumers shouldn't panic, says Mr. Field of Information Security Media Group.

“You’re not going to be held liable for fraud committed against you, and you will be reimbursed for anything you lose,” he says. “But that doesn’t mean you’re not going to lose the time it takes to undo the damage of account takeover.”

Debit card users should be especially vigilant, experts say. With the kind of information stolen, thieves can, for instance, create duplicate cards that could give them entrée directly into a consumer's checking account. Indeed, debit card users have the most risk of exposure in the case of a massive data breach, they say.

About 1 in 14 debit card users has had money stolen from an account in the past five years, reports Teresa Dixon Murray in the Cleveland Plain Dealer.

Debit card users also have fewer protections under federal law, she writes. For one thing, under the law, credit card users have a $50 liability limit if the fraud is reported within 60 days; debit card users have only two days to report the fraud, or their liability limit rises to $500.

The vast majority of identity theft does involve credit card accounts or bank accounts. In 2012, 14 percent of victims of identity theft saw monetary losses, according to the US Bureau of Justice Statistics.

Most of those people resolved their situations within one day, though some who had fraudulent usage of their accounts spent a month or so trying to resolve the problems, the Bureau of Justice Statistics reports.

The Target breach, information security experts say, is just one example, though the largest, of the kinds of sophisticated attacks on retailers that have been under way all year by international organized crime syndicates.

“This is the most public example we’ve seen of what’s been happening all year,” Field says. “Hackers have been getting access to payment card data either at the point of sale, where they’ve got something on the card reader … or intercepting data somewhere between the merchant and the card processor, or they’re breaching the card processor.

"But, honestly, that doesn’t matter," he adds. "What matters is this is happening with alarming frequency. Consumers should pay attention. It’s happening all around them.”

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to So a cyber Grinch stole your card at Target? Here's what to do.
Read this article in
QR Code to Subscription page
Start your subscription today