Target Corporation Data Breach: Repercussions for Credit Unions
HELPING MEMBERS WITH ISSUES OF FRAUD
By Paul Clampitt

January, 2014

Target and the Credit Union Paradigm

Executive Summary
Forty million Target Corporation in-store shoppers were victimized by a major data breach that spanned November 27 through December 15, 2013. Hackers hijacked sensitive information — including PIN numbers — residing on the magnetic strip of both debit and credit cards. The breach occurred as a result of malware installed on Target’s point-of-sale terminals in each of its 1,797 store locations. Compromised accounts include Target’s proprietary cards and those of other issuing banks, constituting every major card brand. Illicit websites immediately began selling the compromised information “dumps” to international card counterfeiters and fraudsters, and back to issuing banks trying to mitigate their risk. Confirmed fraud involving the compromised card information was detected by multiple card processing companies on or before December 18, 2013, when the breach was first reported.

Subsequent forensics revealed an additional 70 million identities were taken during the same intrusion; this information includes names, mailing addresses, and phone numbers or email addresses. Whether the 70 million identities includes online Target shoppers has not been clarified, but suspicions are rising. The second component of the data breach was disclosed on January 10, 2014, making the Black Friday Target breach the most extensive in history. There was a second announcement made the same day — late that afternoon, high-end retailer Neiman Marcus disclosed that the company experienced a similar breach during the Black Friday shopping window. Although precise circumstances of the Neiman Marcus breach have not been disclosed, the gravity of a sophisticated and coordinated attack against multiple retailers is frightening.

From a damage perspective, the Target breach is probably the worst in history. Certainly, the fraudulent use of the stolen information is pervasive and disturbingly audacious. There is no question, people and companies are being victimized by fraud made possible because of the compromised Target information.

The Credit Union Challenge
Quite often, folks turn to a financial institution for guidance and protection from the threat of a major breach — for many families their trusted source is a local credit union. And why not? The lifeline for any credit union is a secure base of satisfied members. Few acts are more endearing than a credit union standing shoulder-to-shoulder, brothers-in-arms with its member to defend their financial well-being against international criminals. After all, no one wants to be intimidated or threatened by “Boris and Natasha” stamping out bogus credit cards in Kaunas, Lithuania.

How extensive is the problem and what is the likely impact on a credit union’s membership? To begin, the breach occurred at every Target store scattered throughout the country — no region or area was spared. One major card issuer, J.P. Morgan Chase, contacted 2 million of its affected debit cardholders. Chase estimates the compromised cardholders to be nearly 10 percent of its customer base. Extrapolating 40 million card thefts from total debit and credit cards issued in the U.S. yields a similar victimization rate of 8.4 percent. As always, the family victimization rate is higher, probably around 15 percent when duplications are eliminated. Senator Edward J. Markey (D-Mass.) summed the situation succinctly, “When a number equal to nearly one-fourth of America’s population is affected by a data breach, it is a serious concern that must be addressed.”

Additionally, many credit union commercial accounts, particularly retailers and merchants, will be affected by subsequent fraud in weeks and months to come. Finally, for those credit unions that have issued credit and debit cards, their problems are further compounded by expenses associated with reissuing new cards and PIN numbers.

Yes, the Target data breach is very serious for credit unions and their members. Find out why we call the breach

The Nightmare Before Christmas!

First public disclosure; An admission by Target

On December 19, 2013, Target Corp. confirmed a report issued the previous day that hackers hijacked sensitive data from 40 million payment cards. The affected data included customer names and credit or debit card numbers. The expiration dates associated with those cards were also compromised, giving thieves the data required to make purchases at some merchant web sites. The cyber criminals also made off with the CVV, or Card Verification Value code, which resides on the magnetic stripe of payment cards.2 Apparently, they did not access the CVV2 code, the 3- or 4-digit code used by many online retailers to verify that a consumer making a purchase has the card in their hand. However, not all retailers ask for the CVV2 code and are, as a consequence, at risk.

No bargains on “Black Friday” at Target

The cards were used by shoppers who visited Target stores from November 27 through December 15. Apparently the breach occurred during the period when Americans kick off their holiday shopping and store traffic is normally at its highest during the year. Retailers try to lure shoppers to stores on Black Friday with "door buster" deals and overnight hours that often draw big crowds.

Target cards and those of every major brand

Affected payment cards include Target's REDcard private label debit and credit cards as well as other bank cards, Target spokeswoman Molly Snyder told Reuters.1 KrebsOnSecurity, a closely watched security blog that broke the news on December 18, said the breach involved nearly all of Target's 1,797 stores in the United States. Target said its online business had not been impacted.

Merry Christmas from Target

Target notified law enforcement and the financial institutions that issue the credit and debit cards. The retail chain also posted a note on Target.com notifying consumers of the data breach: “You should remain vigilant for incidents of fraud and identity theft by regularly reviewing your account statements and monitoring free credit reports.”

About Institution Solutions & ALLOY

Founded in 1996, Institution Solutions Inc. (ISI) is becoming one of the fastest growing insurance administrators in the financial institution industry. Providing personalized product development, custom marketing strategies, innovative technology solutions and unparalleled customer care and support. ISI takes pride in its ability to increase member loyalty and generate fee income for its clients.

Alloy is a better insurance model, offering an independent insurance agency custom tailored to the Credit Union’s needs and capabilities. Alloy leverages cutting edge technology, competitive products, industry know-how and a dynamic agency team to deliver the right product at the right time and price to Credit Union members.

For more information contact,

Institution Solutions Media Contact:

Rebecca Christenson,
Marketing and Communications Manager
Rchristenson@isillc.com
214-431-5411

Download this Press Release

If you'd like a hard copy of this Press Release, please click the button to the right.

Download