Millions of people got a gut check Thursday, when mass merchant Target confirmed reports that somebody had breached the company's security systems and gained access to as many as 40 million credit and debit card accounts during a time of year when Americans are doing a lot of shopping.
"I use my Target card all the time," said Britt Beemer, chairman and CEO of retail consulting firm America's Research Group in Charleston, S.C., upon hearing the news of the security breach.
"I'm probably going to be caught up in it," sighed Ben Woolsey, director of marketing and consumer research for CreditCards.com, an online credit card marketplace in Austin, Texas.
Mr. Woolsey said his wife had been shopping at the mass merchant within the key period.
But then, so were a lot of other people.
The unauthorized access came between Nov. 27 -- the day before Thanksgiving -- and Sunday, according to Target's official statements.
The news broke just as the nation's retailers are heading into the last shopping weekend before Christmas, a time when many chains are planning to stay open for days on end and offer big discounts to try to win any business that may still be out there.
ShopperTrak, a Chicago retail tracking firm, reported the number of people in stores last week fell almost 20 percent compared to the same week a year ago, not helped by snowstorms across many areas, including parts of Pennsylvania.
The retail firm predicted that several of the next few days, including the last Saturday before Dec. 25, would be among the busiest shopping days of the holiday season.
"It's make or break," Mr. Beemer said, noting that how well retailers do in this last stretch could decide whether they'll break even.
Into the steady stream of announcements coming from retailers such as Toys R Us, Kohl's and Macy's that they'd would offer extended hours through Tuesday, Target's bad news arrived as an unwelcome reminder that even reputable companies can be vulnerable to security problems.
The Minneapolis retailer said the unauthorized access included customer names, credit or debit card numbers, card expiration dates and the three-digit security codes.
"It appears every single Target store in the country was affected," said Mr. Woolsey, who, like other experts, was trying to figure out what happened and how it happened.
There was speculation that the breach was an inside job, or maybe one or more employees were tricked into clicking onto something that opened the company's systems to hackers. "We just don't have enough details," Mr. Woolsey said.
Target said it quickly brought in law enforcement officials when it realized what had happened. "Target's first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause," said Gregg Steinhafel, chairman, president and CEO, in an official statement.
The retailer did not disclose the breach to the public until after news reports surfaced of an investigation.
In an open letter to customers on its website Thursday, the retailer urged customers to check their account statements for evidence of fraud or identity theft. It also suggested card holders monitor credit reports. "If you discover any suspicious or unusual activity on your accounts or suspect fraud, be sure to report it immediately to your financial institutions," the company said.
That's good advice, but it might not go far enough. Both Mr. Woolsey and Richard Franklin, an assistant professor of business administration in the management information systems area at the University of Pittsburgh, said customers who used debit cards at Target during the affected period should contact their banks and change those accounts.
"If I were a Target customer and I had used a debit card at Target, I would immediately cancel it," Mr. Franklin said. "Debit cards are far worse a problem than credit."
That's because of the different federal protections on the two kinds of cards. Credit card users' exposure is limited to $50 if they report a problem within 60 days, Mr. Woolsey said. Issuers have systems to try to catch suspicious uses quickly, but he suggested credit card users might still want to call their issuer to ask for a new card, because it's not entirely clear how much information the hackers took.
Protections are not as strong for debit cards, and the account balance is more vulnerable, the two experts agreed.
Marcey Zweibel, vice president and senior manager of external communications at PNC Financial Services Group, said the Pittsburgh-based bank is aware of the situation. "We heard from some concerned customers today and we confirmed that if they see any unauthorized charges on their accounts, they will not be held responsible for them if reported in a timely manner."
The breach is the latest in string of high-profile incidents in which data has been accessed, despite efforts by retailers, banks and other institutions to safeguard their systems, something that Post-Gazette readers noted in Facebook comments.
"Any company can be a victim of this," Jason Williams wrote. "... The only way to avoid this is to use cash everywhere. Then hope nobody sees your stack of cash or you will get robbed!"
Some commenters said they'd had purchases blocked in recent weeks as a result of suspected breaches, while another reported checking her account data Thursday morning after hearing the news.
Mr. Franklin said the number of accounts affected may rise as more information comes out, but already it's one of the larger credit card breaches in history. He noted that in 2009, an attack on credit card processor Heartland Payment Systems affected 130 million cards and in 2007, TJX Cos. announced at least 45 million credit accounts had been compromised.
Although companies have improved their systems in recent years, there's no way to completely guarantee against a breach, he said.
Target suggested customers report incidents of identify theft to the Federal Trade Commission or law enforcement. More information can be found at www.consumer.gov/idtheft, or by calling the FTC at 1- 877-438-4338.
Customers with questions about the security breach can call Target at 1-866-852-8680.
Teresa F. Lindeman: email@example.com or 412-263-2018.
First Published December 19, 2013 9:52 AM