Target Data Breach May Have Extended Beyond December 15

The credit card data breach that snared Target, its customers, and banking institutions across the US during the busy 2013 holiday shopping season has been a top news and concern item since Krebs On Security broke the story. With reports of Neiman Marcus and other US retailers being caught up in the mix, the story is not only ongoing, but given the secrecy that surrounds these types of events and their subsequent investigations, it is difficult to pin down all of the facts that consumers need to protect themselves.

When Target came clean as the story was about to break, it declared that the window when the breach occurred took place between November 27 and December 15. And in bold statements said that the access hackers used had been closed and eliminated.

“Yesterday we shared that there was unauthorized access to payment card data at our U.S. stores. The issue has been identified and eliminated. We recognize this has been confusing and disruptive during an already busy holiday season. Our guests’ trust is our top priority at Target and we are committed to making this right.”

And this from the Target FAQ on the event which still appears today:

Well, I’m not so sure if that date of December 15 stands up and the language use is certainly fuzzy. But the implication and reporting that followed was that it was safe to shop at Target again because the breach had been closed on December 15. Note that the original story did not come out until December 18. But this morning I got some news that leads me to believe the hackers were still working after December 15.

My wife is traveling on business. This morning she got an email from Citibank, one of her credit card holders. It reported what looked like fraudulent activity and asked her to call. (Why they didn’t call is another question. We’re all trained not to trust those emails.) She called and indeed there were two fraudulent transactions that took place this morning. In working with the Citibank agent on the phone they discovered that my wife had indeed used that card at Target. But, the date was December 17, 2013, which fell two days after the publicized date that Target had supposedly closed the breach. My wife had not used that or any other card at Target during the publicized window of the breach.

Citibank may be using the Target breach as an excuse here, as that historic theft certainly has been a cause for major disruption. Banks, insurance companies and retailers are notoriously closed mouth about these events and investigations to cover their liabilities. The bottom line is, given what we know and what we don’t know, about the events at Target, Neiman Marcus, and the other as yet unnamed retailers, consumers should be extremely careful and make sure they are monitoring their accounts.