Gregg Steinhafel, the CEO of Target, has apologized for the major credit and debit card swipe that has left millions open to having their data stolen.
“Yesterday we shared that there was unauthorized access to payment card data at our U.S. stores,” he said in a long post on the Target website. “The issue has been identified and eliminated. We recognize this has been confusing and disruptive during an already busy holiday season. Our guests’ trust is our top priority at Target and we are committed to making this right.”
Angry Target customers expressed their displeasure in comments on the company’s Facebook page and in other venues after the company revealed that data connected to about 40 million credit and debit card accounts was stolen as part of a breach that began over the Thanksgiving weekend.
The theft is the second-largest credit card breach in U.S. history, exceeded only by a scam that began in 2005 involving retailer TJX Cos. That incident affected at least 45.7 million card users.
“We want our guests to understand that just because they shopped at Target during the impacted time frame, it doesn’t mean they are victims of fraud,” Steinhafel said. “In fact, in other similar situations, there are typically low levels of actual fraud. Most importantly, we want to reassure guests that they will not be held financially responsible for any credit and debit card fraud. And to provide guests with extra assurance, we will be offering free credit monitoring services. We will be in touch with those impacted by this issue soon on how and where to access the service.”
Christopher Browning, of Chesterfield, Va., said he was the victim of credit card fraud earlier this week and believes it was tied to a purchase he made at Target with his Visa card on Black Friday. When he called Visa on Thursday, the card issuer could not confirm his suspicions. He said he hasn’t been able to get through toTarget’s call center.
On Monday, Browning received a call from his bank’s anti-fraud unit saying there were two attempts to use his credit card in California — one at a casino in Tracey, Calif., for $8,000 and the other at a casino in Pacheco, for $3,000. Both occurred on Sunday and both were denied. He canceled his credit card and plans to use cash.
“I won’t shop at Target again until the people behind this theft are caught or the reasons for the breach are identified and fixed,” he said.
Steinhafel said that Target takes this crime seriously, and it was a crime against the company, company staff, and the company’s customers.
“We’re in this together, and in that spirit, we are extending a 10% discount – the same amount our team members receive – to guests who shop in U.S. stores on Dec. 21 and 22,” he said. “Again, we recognize this issue has been confusing and disruptive during an already busy holiday season. We want to emphasize that the issue has been addressed and let guests know they can shop with confidence at their local Target stores.”
The discount isn’t valid in Canada and is limited to one offer per guest.
Customers who made purchases by swiping their cards at its U.S. stores between Nov. 27 and Dec. 15 may have had their accounts exposed. The stolen data included customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip found on the backs of cards, Target said.
There was no indication the three- or four-digit security numbers visible on the back of the card were affected,Target said. The data breach did not affect online purchases, the company said.
Eric Hausman, a Target spokesman, said the company is engaged in “an ongoing investigation.”
Target hasn’t disclosed exactly how the breach occurred but said it has fixed the problem.
Given the millions of dollars that companies such as Target spend implementing credit-card security measures each year, Avivah Litan, a security analyst with Gartner Research said she believes the theft may have been an inside job.
“The fact this breach can happen with all of their security in place is really alarming,” Litan said.
Other experts theorize that Target’s network was hacked and infiltrated from the outside.
Whatever the case, Jason Oxman, CEO of the Electronics Transaction Association, which represents the payments technology industry, said data breaches like Target’s are generally “heavily organized and sophisticated.”
Annual losses from global credit and debit card fraud are on the rise. Last year, it reached $11.27 billion, up 11.4 percent from the previous year, according to The Nilson Report, which tracks global payments. Even so, Nilson’s publisher David Robertson pointed out that fraud still accounts for less than 6 cents of every $100 spent.
Target, which has almost 1,800 stores in the U.S. and 124 in Canada, said it immediately told authorities and financial institutions once it became aware of the breach on Dec. 15. The company is teaming with a third-party forensics firm to investigate and prevent future problems.
The credit card breach poses a serious problem and threatens to scare away shoppers who worry about the safety of their personal data.
Target’s stock dropped more than 2 percent, or $1.40, to $62.15 on Thursday.
“This is close to the worst time to have it happen,” said Jeremy Robinson-Leon, a principal at Group Gordon, a corporate and crisis public relations firm. “If I am a Target customer, I think I would be much more likely to go to a competitor over the next few days, rather than risk the potential to have my information be compromised.”
Target advised customers Thursday to check their statements carefully. Those who see suspicious charges should report them to their credit card companies and call Target at 866-852-8680. Cases of identity theft can also be reported to law enforcement or the Federal Trade Commission.
The Associated Press contributed to this report.