In mid-December, we learned criminals forced their way into our system, gaining access to guest credit and debit card information. As the investigation continued, it was determined that certain guest information was also taken. The information included names, mailing addresses, email addresses or phone numbers. We have partnered with a leading third-party forensics firm who is thoroughly investigating the breach.
Has the issue been resolved?
Yes. We closed the access point that the criminals used when we discovered the breach on Dec. 15.
Does that information include social security numbers?
There is no indication that Social Security numbers have been taken.
Do you think you will find anything else?
We continue to conduct a thorough investigation and we are committed to updating you on developments that could impact you.
How could Target let all this credit and debit card information get accessed?
This unauthorized access is a crime, and we are taking it very seriously. While we can’t provide specifics because the investigation is ongoing, we are working closely with the United States Secret Service and the Department of Justice to bring those responsible to justice.
How can I be assured you are taking the steps to protect my information in the future?
We are committed to making this right and are investing in the internal processes and systems needed to reduce the likelihood that this ever happens again. For example, we are accelerating our plans to put chip-enabled technology in our stores and on our Target REDcards by early 2015, six months ahead of our previous plan. You can learn more about our investment in smartcards here.
When did Target learn that certain guest information was taken? Was there another breach?
This information was discovered as part of the ongoing investigation. This theft is not a new breach. This development was uncovered in the course of the ongoing investigation. When we discovered the breach on December 15, we moved swiftly to close the access point that criminals used and removed the malware they left behind.
How many guests were affected by the additional stolen guest information?
Up to 70 million individuals may be affected.
What guest information was taken?
The information, much of which was partial in nature, may have included names, mailing addresses, phone numbers or email addresses.
How do I know if I was affected by this latest development? Should I call Target?
In cases where Target has an email address, we will attempt to contact affected guests. Please know, we will not ask for any personal information as part of that communication.
Why was Target collecting and holding this type of information?
This was information we collected during the normal course of business.
If I believe that my credit or debit card information was impacted, does that automatically mean additional information was stolen as well?
This is not a new breach. There may be some duplication of guests between this development and those impacted by the credit and debit card data. However, the payment card data and this information were not linked.
What does it mean if my information was stolen? What are the risks?
Because this is generally publicly available information, the primary risk is increased exposure to consumer scams, such as phishing, web scams and social engineering. We want to help our guests protect themselves by providing information and resources about these scams. For helpful tips and more information, see the Frequently Asked Questions provided on scams below, or visit A Bullseye View.
How do I know if my credit or debit card was impacted?
If you shopped at Target between Nov. 27 and Dec. 15, you should keep a close eye for any suspicious or unusual activity on any credit or debit card accounts that you used while shopping during that time.
How many credit or debit cards were impacted?
Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013.
Since I shopped at Target between Nov. 27 and Dec. 15, does that mean my card has been used fraudulently?
No. Just because you shopped at our stores during that timeframe does not mean your card has been used for fraud. You should continue to closely monitor your credit or debit card account information and immediately report any fraudulent or suspicious activity.
Should I call Target to see if my credit or debit cards were affected?
You don’t need to call us unless you believe there are suspicious charges to your Target REDcard. Target already has fraud alerts in place and is actively monitoring REDcard accounts that may have been impacted.
The banks that issue non-Target credit and debit cards also have been notified and have similar processes in place. You too, should keep a close watch on your account by reviewing your credit or debit card statements.
You should call your card’s issuing bank if you discover any suspicious, unusual or fraudulent activity.
Will my card’s financial institution be able to tell me if I was impacted?
Target shared the impacted credit and debit card information with the processors, who in turn, shared with the issuing banks. You should continue to closely monitor your credit or debit card account information and immediately report any fraudulent or suspicious activity by calling the number on the back of your card. One recommended safety precaution is to change the PIN number on your debit card.
If you decide to change your PIN number on your Target REDcard debit card, go to Target.com/RCAM.
If I used my credit or debit card at Target.com or in Canada between Nov. 27 and Dec. 15, should I be concerned?
No, this payment card issue impacted U.S. stores.
I heard that CVV information was impacted. Is the CVV code the same as the three-digit security code on the back of my card?
There are two types of CVV data: CVV, which is encoded on the magnetic stripe and CVV2, which is the three or four digit value that is printed on the back or front of your card. We have determined that this breach impacted CVV information. At this time, we have no indication that CVV2 data was compromised; and therefore, no indication that the three- and four-digit security codes are impacted.
Will I be held liable for fraudulent charges on my card?
Absolutely not. You have zero liability for the cost of any fraudulent charges as the result of this breach.
What impact did the breach have on PIN numbers?
On Dec. 27, we were able to confirm, through additional forensic work, that strongly encrypted PIN data was removed. We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.
Why does Target think PIN data can’t be compromised?
Due to how the encryption process works, Target does not have access to nor does it store the encryption key within our system. The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the “key” necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.
Should I change my PIN?
We remain confident that PIN numbers are safe and secure. If you would prefer to update your PIN, you can manage your REDcard PIN by logging on to your Target REDcard account at Target.com/RCAM or contacting your bank.
How do I know that emails and information I receive are actually from Target?
We have posted copies of our email communication related to this breach incident to Target.com/databreach within the “official documents & communication” section, so you can compare any emails you receive to official copies of the emails that Target has distributed.
I received a call, text or email from someone who said they were with Target asking for my social security number, credit card number, and/or other personal information. What should I do?
Do not provide that information. Be wary of scams that may appear to offer protection but are really trying to get personal information from you.
If you have any suspicions about the authenticity of an email or text, do not click the links in it. Please go directly to the sites you need to access.
I know there are scams that are going on. What is Target doing to deal with consumer scams arising from the incident?
We are aware of some scams concerning phishing in the form of e-mails, text, fake websites and phone calls designed to steal personal information from our guests in the wake of the recent data breach. We have posted tips on how to avoid these scams, and are also working with partners, including Facebook and Twitter, to help shut down fraudulent websites and scams intended to exploit Target guests. We have helped take down more than a dozen consumer scams to date.
What kind of scams do I need to watch out for?
Following an event like a data breach, it’s common to see fraudsters use emails, texts, phone calls and fake websites to try to steal your personal information.
Social Engineering: Using fraud or deception to manipulate people into performing actions or divulging information that they would normally not share.
Social Engineer: A scam artist who contacts individuals via phone, email, text message or even in person to gather information for the purposes of fraud, data system access, identity theft and more.
Phishing: A social engineer uses a fake email to trick recipients into giving up credit card information, passwords or other sensitive information. The email may appear to come from a trusted source, such as a reputable company or bank, and often includes personal details so it appears the sender knows you.
Smishing: Similar to Phishing (see above), a social engineer sends a fake Short Message Service (SMS) text message to your cell phone, announcing that you’ve won a prize or offer from a trusted company or bank if you follow a link to a website and enter a code. Clicking the link can expose your phone to malware.
Pretexting: When a social engineer impersonates someone with authority and creates a fake scenario to trick unsuspecting individuals into sharing private or sensitive information.
What are some things I can do to avoid social engineering scams?
Never give out private or personal information, including financial details, unless you can verify the identity of the person or organization contacting you.
Don’t respond to texts or emails coming from a contact you don't recognize, and don’t click on links. Instead, if you need to check on your account, type the site address you want visit into your browser and securely log into your account.
Don’t send money to strangers; scam artists often insist that you wire money, especially overseas, because it’s difficult to trace the transaction.
Keep an eye on your monthly statements. If your account information is stolen, fraudsters can use it to charge purchases or commit crimes in your name. Watch for unusual charges such as “membership fees” and other goods or services you didn’t authorize. If you see a charge you don’t recognize, contact your account provider immediately.
What are some red flags that indicate I might be dealing with a social engineer?
Some common red flags that help identify a social engineer include:
Refusal to provide contact or call-back information
Acting rushed, pressed for time or intimidating
May seem to know some personal information already, but is asking for more
Poor grammar or spelling
The links or attachments in an email seem suspicious
What should I do if I suspect I’ve been contacted by a social engineer?
If you think you may have been scammed, there are a number of things you can do to protect yourself:
Report the incident to the Federal Trade Commission, or, if you live outside the U.S., file a complaint at econsumer.gov. You can also report scams to your state Attorney General.
Forward email spam to email@example.com.
Can I still use my credit or debit card or should I call to get a new one?
Yes, you can continue to use your card.
You should continue to closely monitor your credit or debit card account information and immediately report any fraudulent or suspicious activity by calling the number on the back of your card. As an additional precaution, you may want to change your PIN number on your Target REDcard debit card. You can do this by logging in to Target.com/RCAM.
How can I check the recent transactions on my account?
To check recent transaction and monitor your account, you can call the number on the back of your card or visit Target.com/rcam.
I want to get a new credit card. Can Target help with this?
Target can help with REDcard credit or debit cards only. We do not have access to other financial institutions' credit or debit card account information. If you have a non-Target credit or debit card, then specific concerns about your account can be addressed by calling the number on the back of your card.
If I close my account, can I reopen it later?
A Target REDcard account that is closed cannot be reopened, but you can apply for a new account. Please be aware that you must wait at least a day after closing your REDcard account to reapply. New accounts are subject to current terms and conditions, which may not be the same as your closed account. If you have a non-Target credit or debit card, questions about your account can be addressed by calling the number on the back of your card.
How do I add an alert to my REDcard credit card?
REDcard credit cardholders can set up alerts through Manage My REDcard so they can be informed every time their card is used. On Target.com, click on “Manage my REDcard” at the bottom of the page. Sign in to Manage My REDcard with your username and password. Under Settings, click “Set Alerts” on the left hand navigation menu. Select your alert and delivery preferences. Click “Save” and you’re ready to receive alerts.