U.S. markets closed

What to do if you shopped at Target during its data breach

Merchandise baskets are lined up outside a Target department store in Palm Coast, Florida, December 9, 2013. REUTERS/Larry Downing

Consumers who shopped at one of Target’s 1,778 stores between Nov. 27 and Dec. 15 should check their credit and bank card statements for any fraudulent activity.

Target (TGT) confirmed Thursday that it’s investigating a security breach that may have impacted as many as 40 million people. The stolen data include customer names, credit and debit card numbers, card expiration dates and the three-digit security codes located on the backs of cards. The breach affected transactions at Target’s bricks-and-mortar locations nationwide, not online purchases.

Security blogger Brian Krebs first reported the breach on Wednesday. Krebs wrote that the type of data stolen “allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs.”

The incident may have involved tampering with the machines customers use to swipe their cards when making purchases, according to the Wall Street Journal.

In a statement on its site Target said the breach may impact shoppers who made credit or debit card purchases in stores from Nov. 27 to Dec. 15. The Minneapolis-based retailer said it is partnering with a forensics firm to investigate the incident and recommended customers “remain vigilant for incidents of fraud and identity theft by regularly reviewing your account statements and monitoring free credit reports.”

What should you do?

What does this breach mean for consumers, in particular those who shopped at Target stores in the period between Nov. 27 and Dec. 15?

First thing to do is check your credit card statements for unfamiliar purchases, as well as your bank account daily online to ensure there are no fraudulent transactions, says Linda Sherry, director at consumer rights advocacy group Consumer Action. Report any problems immediately to your bank. Your bank should contact you if your credit card was part of the breach. If you were affected, you’ll get a new credit card account number (obviously an inconvenience, especially during the holidays). You won’t be held liable for unauthorized charges made using your credit card number.

American Express (AXP) and Discover (DFS) said they were aware of the breach at Target and had fraud measures in place, according to a CNNMoney article.

If you receive a data breach notification letter from Target, “you know with certainty your information was compromised,” says Eva Velasquez, president and CEO of the Identity Theft Resource Center. (Consumers who know their card data was stolen can contact the ITRC at 888-400-5530 for help on what steps to take next.)

Sherry suggests impacted consumers ask their bank to waive the expedited delivery fee for a new card. Also ask if any credit monitoring services are being offered to victims of the breach.

What does it mean for Target?

The real victim here is Target itself, says Avivah Litan, a vice president and analyst at Gartner Research. In a post about the breach, Litan said that the retailer has no doubt spent a “small fortune on payment card security,” but was still hacked.

The payment card industry is likely going to raise Target’s merchant fee that it pays Amex, MasterCard, Visa and other credit card companies on transactions by a few points, and will also fine Target for the breach, Litan says. In the end, she estimates the theft will cost Target less than $25 million. But the fees it pays credit card issuers in transaction costs may be twice that amount. “If they get much higher, Target may have to pass on these costs to consumers in the form of higher prices,” she says.

Security breach surge

In the past few years criminals have grown increasingly adept at breaching the systems of merchants and processors that store or transmit consumers’ payment information. In a report published this month, Javelin Strategy & Research found the number of notified credit-breach victims who suffered fraud increased 340% from 2010 to 2012, resulting in $4.8 billion in fraud losses. According to the study, 15.8 million consumers were notified their card information was compromised in 2012.

The Target theft is the largest such corporate breach since 2007, when TJX Companies (TJX), which owns discount retailers TJ Maxx, Home Goods and Marshalls stores, disclosed that 45.7 million credit and debit cards were exposed to possible fraud. TJX's computer systems were breached over the course of two years, beginning in 2005. The data breach ended up costing the company $256 million. In that case, attackers gained access through a wireless regional hub to intercept payment information.