Credit Cards Blog

Finance Blogs » Credit Cards Blog » Target card breach: What to know

Target card breach: What to know

By Janna Herron ·
Thursday, December 19, 2013
Posted: 12 pm ET

Target said about 40 million credit card and debit card accounts were compromised in a 19-day data breach starting the day before Thanksgiving.

The retailer said on Thursday the breach, which lasted from Nov. 27 to Dec. 15, included the consumer's name, credit card and debit card numbers, the card's expiration date and the three-digit security card security code. Only customers who shopped in actual stores were affected; online customers were not. Target spokeswoman Molly Snyder said there are no indications that debit card personal identification numbers, or PINs, were accessed.

Snyder would not say how many stores were affected or how the hack was executed. But Krebs on Security, an industry security blog that broke the news about the breach on Wednesday, said that nearly all of the retailer's U.S. stores were affected and the data was collected from the magnetic stripe on the backs of the cards.

"No matter how careful we are with our own data there's no guarantee that the places we shop are equally protective," says John Ulzheimer, credit expert at Credit Sesame.

The good news for consumers is that Target has already contacted banks about the breach. Discover, Chase, Citi, Capital One, Wells Fargo and Bank of America all confirmed that they are actively monitoring accounts for suspicious activity and will contact cardholders if they believe their account has been compromised.

"Discover's top priority is maintaining the privacy and security of our cardmembers," says company spokeswoman Laura Gingiss.

Typically, card issuers will cancel affected cards and send out new cards with new numbers to customers. In some cases, if the customer can't be reached, a card issuer may temporarily shut down the card, so no fraudulent charges can be added.

Consumers who recently shopped at Target stores should be just as vigilant by double-checking their online statements for any unusual charges. Ulzheimer recommends that consumers do this regularly and not wait until the monthly statement comes.

"Fraud is a real time crime and we as consumers have to be constantly engaged with our payment vehicles so that we are immediately aware of fraudulent use," he says.

If a consumer finds an unauthorized transaction, they should contact their banks to report the transaction along with the three credit reporting bureausĀ -- Experian, Equifax and TransUnion -- to place a fraud alert on their credit reports. Fraud alerts last 90 days and tell lenders to take extra precautions to verify a person's identify before extending credit.

Consumers affected by the breach should also pull their credit report one to two months after finding the unauthorized transaction to check if any new credit has been established in their name without their permission. It takes at least a month for a new account to show up on a credit report. Consumers are entitled to a free credit report from each credit bureau once every 12 months under federal law.

As for losses, credit card holders are not liable for any unauthorized charges stemming from a data breach under federal law. Debit card holders face higher losses, depending on whether their PIN was accessed and when they report unauthorized charges.

"When reported promptly, debit card customers are not liable for any unauthorized purchases on their accounts," says Chase spokesman Rob Tacey.

Did your issuer call you about a breach recently? Let me know.

Follow me on Twitter: @JannaHerron.

Bankrate wants to hear from you and encourages comments. We ask that you stay on topic, respect other people's opinions, and avoid profanity, offensive statements, and illegal content. Please keep in mind that we reserve the right to (but are not obligated to) edit or delete your comments. Please avoid posting private or confidential information, and also keep in mind that anything you post may be disclosed, published, transmitted or reused.

By submitting a post, you agree to be bound by Bankrate's terms of use. Please refer to Bankrate's privacy policy for more information regarding Bankrate's privacy practices.
December 21, 2013 at 3:39 pm

Jim Watkins - By agreement with Visa they should not ask for ID. You should actually be signing your receipt CHECK ID as that is the valid signature on the back of the card. If your signature does not match is where your protection is.

December 20, 2013 at 11:07 pm

Capital One didn't contact me at all. They instead just sent me a new debit card and PIN (which had I left for my trip today like I planned to) would have been sitting in my mailbox for the next week.

When I called and asked about being sent the new card and PIN is when they decided to tell me that my account was compromised. So had I not been home, I wouldn't have known until I went to use my card. Not to mention that we've had mail being stolen lately, so that anyone could have gotten my new card, the new PIN, activated the card and emptied my account without me ever knowing.

Norman L. Silvers
December 20, 2013 at 7:35 pm

Chase Visa has not contacted me yet.
12/20/13 4:35pm pacific time

December 20, 2013 at 3:51 pm

What do people who applied for a Target credit card during this time period need to do?

Steve E
December 20, 2013 at 3:12 pm

My wife was at target, and our bank is already issuing her a new card. We use cash for a lot of our monthly budget, but our gift budget was not in cash. We might rethink that in light of this breach. The article mentioned that all the information from the magnetic strip was taken, but fails to mention what information IS on that strip. That is worth an answer. Hmm, maybe I feel another blog post coming on...

December 20, 2013 at 1:53 pm

One thing is unclear. Did this breach apply to the use of third party credit and debit cards only, or does it involve the use of the Target Red Card? No one has addressed this situation clearly.

December 20, 2013 at 1:28 pm

Looks like old school times coming back ."CASH ONLY".for this guy.Trust no one.

December 20, 2013 at 10:55 am

I called a local Target store to get a contact number and was informed that it would be nearly impossible to get through. Reminds me of a run on a bank...close the doors and keep the customer's accounts.

Jim Watkins
December 20, 2013 at 10:55 am

I was at target twice in this period. I used VISA. Although I have in bold letters "check ID" where the card signature goes, neither clerc asked for ID. When I asked if they were going to check my ID,
each said the compuuter did not ask for ID. This is a messed up corporate head down desition and I feel it sucks.
I lost my wallet two years ago and the first place the finder went was to Target, knowing they would not be checked. I realize this had nothing to do with how info was taken this time, but Targed has a very bad security policy from top down. Some one needs to be held accountable.

December 20, 2013 at 9:54 am

I have try to call target about my card and can not get through. Should I keep trying.