Could Target-Style Data Breach Happen to Me?
Feb. 13, 2014 — -- Dear ABC News Fixer: I am confused about the credit card data thefts I have been hearing about, such as the breach at Target stores. I have my own one-man business (mobile sharpening, in which I go to homes to sharpen knives, scissors, lawn mower blades, etc.). I accept credit cards using a credit card swiper attached to my cell phone.
When I look at the credit purchase history on my phone, I do not see PIN numbers or credit card expiration dates. I do not even see the entire credit card number -- just the last four digits.
I called the company that processes my receipts to find out how much credit card data is on my cell phone. They told me that only the date of the transaction, the amount and the last four digits of the card are on my phone.
If I cannot store complete credit card information, how is it that Target can? How did the Target hackers steal the information?
The reason I'm asking is I do not want any of us out here – small businesses that use credit card swipers -- to be held responsible if credit card information is stolen from our customers.
- Gary Gordon, Charlotte, NC
Got a consumer problem? The ABC News Fixer may be able to help. Click here to submit your problem online. Letters are edited for length and clarity.
Dear Gary: The Target breach – said to be the second-largest retail cyber attack in history – rattled a lot of nerves among consumers, retailers and bankers, and investigators are still trying to determine exactly what happened.
What we know is this: Between Nov. 27 and Dec. 15 – hackers were able to access information for about 40 million customers, including their names, card numbers, card expiration dates, card security codes and debit card PINs (though the PINs were encrypted, Target said). Later, Target disclosed that additional info was compromised – that 70 million consumers had their names, addresses, phone numbers or email addresses exposed.
The U.S. Secret Service continues to investigate, but it's looking like the hackers used malware that accessed Target's computers and grabbed information at the point of sale. ABC News and other outlets have reported that the focus is on a heating and refrigeration business whose vendor access to Target's computers may have been hacked.
Target spokeswoman Molly Snyder declined to discuss specifics of the ongoing investigation.
The breach has brought new calls for something to be done. And something will, by October 2015, which is the deadline for the United States to finally switch to chip technology, considered a lot safer than the magnetic strips now on our cards.
Honestly, the whole story makes the ABC News Fixer want to hide all our money under a mattress and deal only in cash. But back to your question.
We asked experts in banking and technology whether a breach like this could happen to you.
Lori MacVittie, a senior product manager at F5 Networks and a technology blogger, said the amount of information that's available in any transaction depends on the software the merchant uses and the type of transaction. When a consumer swipes his card, the merchant's software sends data to a payment gateway – essentially a bridge between the card reader and the credit issuing institution. The gateway stores the info it needs for the transaction – whether it's just a credit authorization or a transaction that will be batched and processed later on.