NEW YORK – Potential victims of credit card fraud tied to Target’s security breach said they had trouble contacting the discounter through its website and call centers.
Angry Target customers expressed their displeasure in comments on the company’s Facebook page. Some even threatened to stop shopping at the store. Target apologized on Facebook and said it’s working hard to resolve the problem and is adding more workers to field calls and help solve website issues.
The fury and frustration come as the nation’s second-largest discounter acknowledged Thursday that data connected to about 40 million credit- and debit-card accounts was stolen as part of a breach that began over Thanksgiving weekend.
The theft is the second-largest credit-card breach in U.S. history, exceeded only by a scam that began in 2005 involving retailer TJX Cos. That incident affected at least 45.7 million card users.
Target disclosed the theft a day after reports that the company was investigating a breach. The retailer’s data-security troubles and its ensuing public relations nightmare threaten to drive off holiday shoppers during the company’s busiest time of year.
Customers who made purchases by swiping their cards at Target’s U.S. stores between Nov. 27 and Dec. 15 may have had their accounts exposed. The stolen data included customer names, credit- and debit-card numbers, card expiration dates and the embedded code on the magnetic strip found on the backs of cards, Target said.
There was no indication the three- or four-digit security numbers visible on the back of the card were affected, Target said. The data breach did not affect online purchases, the company said.
Eric Hausman, a Target spokesman, said the company is engaged in “an ongoing investigation.”
Target hasn’t disclosed exactly how the breach occurred but said it has fixed the problem.
Given the millions of dollars that companies such as Target spend implementing credit-card security measures each year, Avivah Litan, a security analyst with Gartner Research, said she believes the theft may have been an inside job.
“The fact this breach can happen with all of their security in place is really alarming,” Litan said.
Other experts theorize that Target’s network was hacked and infiltrated from the outside.
Whatever the case, Jason Oxman, CEO of the Electronics Transaction Association, which represents the payments technology industry, said data breaches like Target’s are generally “heavily organized and sophisticated.”
Annual losses from global credit- and debit-card fraud are on the rise. Last year, it reached $11.27 billion, up 11.4 percent from the previous year, according to The Nilson Report, which tracks global payments. Even so, Nilson’s publisher David Robertson pointed out that fraud still accounts for less than 6 cents of every $100 spent.
Target, which has almost 1,800 stores in the U.S. and 124 in Canada, said it immediately told authorities and financial institutions once it became aware of the breach Dec. 15. The company is teaming with a third-party forensics firm to investigate and prevent future problems.
The credit-card breach poses a serious problem and threatens to scare away shoppers who worry about the safety of their personal data.
Target advised customers Thursday to check their statements carefully. Those who see suspicious charges should report them to their credit card companies and call Target at 866-852-8680. Cases of identity theft can also be reported to law enforcement or the Federal Trade Commission.
“Target’s first priority is preserving the trust of our guests, and we have moved swiftly to address this issue, so guests can shop with confidence,” Chairman, President and CEO Gregg Steinhafel said Thursday in a statement.
The incident is particularly troublesome for Target because it has used its store-branded credit and debit cards as a marketing tool to attract shoppers with a 5 percent discount.
During an earnings call in November, the company said some 20 percent of store customers as of October have the Target-branded cards.
In fact, households that activate a Target-branded card have increased their spending at the store by about 50 percent on average, the company said.
TJX Cos., which runs stores such as T.J. Maxx and Marshall’s, had a breach that began in July 2005 and exposed at least 45.7 million credit and debit cards to possible fraud. The breach was not detected until December 2006.
Without anyone noticing, one or more intruders installed code on the discount retailer’s systems to methodically collect and transmit account data from millions of cards.
In 2009, TJX agreed to pay $9.75 million in a settlement with multiple states.
Litan doubts the breach will have much effect on Target’s sales, noting that TJX launched sales promotions immediately following the news of its breach. The effort increased sales.
“People care more about discounts than security,” Litan said.