Target confirmed earlier this week that approximately 40 million credit card and debit card numbers belonging to patrons who shopped in the company’s stores on or around Black Friday were stolen in a massive security breach that took place between November 27th and December 15th. Now, the reporter who broke the story is back with some more bad news for Target customers: Those stolen credit card numbers and associated data are now available for sale on several black market websites.
“Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card,” Brian Krebs of KrebsOnSecurity reported on Friday. Krebs noted that the stolen cards can also be paid for using Bitcoin, of course, as well as Litecoin, WebMoney and PerfectMoney.
After learning that the cards were available on the black market, Krebs investigated the matter further to assist a small New England community bank in determining how many of its cardholders might be affected by the breach.
“This institution has issued a grand total of more than 120,000 debit and credit cards to its customers, but my source told me the tiny bank had not yet heard anything from the card associations about specific cards that might have been compromised as a result of the Target breach,” Krebs wrote. “My source was anxious to determine how many of the bank’s cards were most at risk of being used for fraud, and how many should be proactively canceled and re-issued to customers. The bank wasn’t exactly chomping at the bit to re-issue the cards; that process costs around $3 to $5 per card, but more importantly it didn’t want to unnecessarily re-issue cards at a time when many of its customers would be racing around to buy last-minute Christmas gifts and traveling for the holidays.”
And therein lies the biggest problem. As Kashmir Hill of Forbes points out, “Ideally, banks and credit card companies would just go ahead and cancel all affected cards, but that’s expensive for them and a headache for last minute Christmas shoppers. And for those people who only have one credit card or debit card, it could temporarily cut off their means of paying in anything but cash (and they wouldn’t be able to get the cash at ATMs).”
The New England bank Krebs was helping ended up discovering that more than 5,000 of its credit cards were likely compromised in the breach.
On the plus side, Krebs noted in his report that the CVV2 security codes belonging to the 40 million cards stolen from Target were not compromised along with the rest of the card data, which included full names and addresses.