I was one of the 40 million people whose credit and debit card accounts were compromised by the massive hacking attack and theft at Target (TGT -0.17%). The sophisticated attack at the retailer occurred on Black Friday and included accounts that were used up to Dec. 15, compromising data from Target's own private-label REDcard, as well as major issuer brands including American Express, Visa, and MasterCard.
Warning signs
I got an inkling something was amiss in mid-December after receiving a bland, computer-generated call telling me I needed to talk to someone about my debit card account. Because the disembodied voice making the call didn't identify what institution it was from and the Caller ID was blank, I thought it more likely a scam, so I hung up and dialed my bank instead. They hadn't heard anything about a problem, but said if my card had been compromised a real, live person would have called and not some anonymous, computerized voice.
I thought no more about it, even after Target's hacking attack made the news, until a week ago when I got a call from my bank -- from that real, live person they warned about -- telling me I was one of the lucky 40 million and they were immediately imposing a $300-a-day limit on purchases and cash withdrawals and issuing a new card. Coming as it did right before Christmas, that could have been a real hardship had I not already completed my holiday shopping, but the highly unusual move also indicated they saw something more damaging than just personal account information getting swiped. As Target has since admitted, encrypted PIN data was stolen.
A code worthy of DaVinci
Although the information is likely now for sale on some international, underground websites, because various fail-safe measures have been built into the system, the likelihood there will be any fraudulent activity on my account -- or that of any of the other 40 million victims -- is small.
As at retailers throughout the country, PIN numbers entered during a transaction at Target are encrypted at the keypad using the Triple Data Encryption Standard, or TDES, a process that codes the data three times at the point of entry. While the encrypted data is stored on Target's system, the key to decode the information is held at the payment processor. MasterCard previously mandated that all PIN-entry devices, including those at ATMs, had to be TDES compliant by April 2005, while Visa mandated compliance by July 2010. The prior once-only data encryption system was deemed too vulnerable to hacks, and merchants risked losing the ability to accept PIN transactions if they didn't meet the deadlines.
Hacked to the max
Although the Target data breach is large, it's not the biggest. That distinction belongs to TJX, the owner of discount stores T.J. Maxx, HomeGoods, and Marshalls, which in 2007 saw the theft of data from more than 90 million credit cards over an 18-month period. That episode could be instructive for how it will impact Target, because while the actual losses were small, it cost the retailer more than $100 million in investigation costs, security system upgrades, customer communications, and legal fees, and some $1.6 billion over the lifetime of the case.
Yet there are important differences between the two hack attacks beyond the size of the theft. Foremost was that TJX stored unencrypted personal account data on its system, and then when the breach was discovered, it waited a whole month before alerting customers. No, the real problem for Target will come at earnings time when all the money it thought it generated from Christmas sales will have evaporated to cover the costs of this debacle.
Trailing revenues through Nov. 2 had only been up 2.7% over the same period in 2012, and analysts are expecting current-quarter revenues to fall 2.6% below the year-ago quarter.
Fortunately, while its REDcard accounts for about 5% of its total revenues, because the crime also took in major credit card companies too, it's unlikely to cause consumers to stop using the private-label cards or even hold it again Target. TJX, after all, which was much more cavalier with its response to the theft, continued on without any apparent significant backlash.
Cash on the barrelhead
Sadly, in a world of electronic and online transactions, such hacking and theft is almost expected by consumers, and giant corporations including AT&T, BJ's Wholesale Club, and DSW have all fallen victim to such attacks. Perhaps the latest incident, though, will spur the industry to advance to more state-of-the-art technology, such as chips on cards rather than magnetic stripes.
Until then, though, unless you're willing to go back to an all-cash society (not a bad idea, really, considering this country's massive consumer debt load), hack attacks and theft will just be a part of our everyday reality. Target's reality will be a lump of coal in its Christmas-sales stocking -- and for some time to come thereafter.
