At least some of the credit and debit card numbers that were comprised in a massive holiday shopping-season data breach are already being bought and sold on the black market, according to a security columnist.
“Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card,”, Brian Krebs, a former Washington Post reporter and cybercrime specialist who initially broke the data breach story, wrote in a lengthy update on his blog KrebsOnSecurity.org on Friday.
Krebs has been investigating the shady world of black market online "card shops" where thieves can sell stolen credit card data to other thieves who then create duplicate counterfeit cards.
Krebs writes that he has learned that bank fraud investigators have themselves gone undercover into the card shops and have been buying back stolen card numbers from their own customers. One thing the card numbers have in common: purchases made at Target from Nov. 27 and Dec. 15, Krebs writes.
Target Corp. confirmed the data breach Wednesday night, acknowledging that up to 40 million credit and debit cards of shoppers at stores nationwide were compromised between Nov. 27 and Dec. 15.
Target issued a new statement with updated information Friday. Target says:
– There have been very few reports of actual fraud since the breach.
– There is no indication that the thieves accessed PIN numbers from debit cards, card owner dates of birth, or the three- or four-digit numbers printed on the back of cards typically needed for purchases.
– Target customers will not be held liable for fraudulent purchases made as a result of the breach.
Target customers are trying to figure out what to do next – specifically, wondering whether they should cancel their cards.
Concerned customers overwhelmed Target's call centers, website and social media channels Thursday with inquiries. Many were unable to access Target REDcard accounts online or experienced long wait times over the phone.
The Star Tribune reports that one small institution, First Alliance Credit Union in Rochester, identified 859 of its 12,600 members as having used their cards at Target during the time in question, and now the credit union is seeking to replace all those customer cards, at a cost of roughly $5 a card.
Another Minnesota bank went as far as canceling the debit cards of 180 customers, KARE 11 reports. Wadena State Bank issued new cards to the customers whose records showed they used their cards at Target during the breach period.