This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

6.8 million Target card credentials traded, losses approach $1 billion

Share this article:

With 6.8 million compromised records costing an average loss of $136 (£82) per record, potential costs of the Target breach are some US$925 million...and may exceed a billion US dollars.

6.8 million Target card credentials traded, losses approach $1 billion
6.8 million Target card credentials traded, losses approach $1 billion

The fallout from the Target Corporation data breach of late last year - in which more than 40 million card credentials and user details were stolen from the US retail chain – is rolling onwards. New reports detail a further 2.8 million sets of stolen credentials being traded on ‘carder forums', while US banks are now saying that the fiasco has cost them at least £120 million (US$200 million) so far.

The banks say that around 21.8 million of the 40 million cards have been replaced, whilst both Target and Neiman Marcus - a second US retailer hit by card credential losses - failed to show for a Tuesday briefing in Washington with the US government, which is investigating the breaches. As an aside, the US government was reportedly displeased at the absence of both retailers, especially as they had sent out multiple invitations to the hearings.

According to security researcher Brian Krebs, the volumes of valid card credentials stolen in the Target data breach is shrinking, forcing cyber-criminals to offload the stolen card details onto the black market at knockdown rates.

Indeed, prices on the latest batch of 2.8 million cards sold are said to have fallen by at least 70 percent. In the middle of December, card credential sets - which include a variety of data on the cardholder - were trading at between US$ 26.60 and US$ 44.80 (£15.97  to £26.89), says Krebs, adding that the price has now fallen to as low as US$ 8.00 (£4.80).

He says that this trend is being driven by the potential success rate on fraudulent purchases falling to 60 percent on the latest batch of 2.8 million - down from 100 per cent on the initial 4.0 million stolen Target card credential sets.  

Two US organisations - the Consumer Bankers Association and the Credit Union National Association - now report bank losses from the Target breach as having topped £120 million (US$ 200 million). This figure does not, however, include the cost of any fraudulent activity and stems from the costs associated with replacing 21.8 million of the affected cards. 

Breach costs will be higher still

Commenting on the Target cost revelations, Steve Smith, managing director of security consultancy Pentura, predicted that the total bill for these breaches will be higher still. He cites a 2013 study by Symantec and the Ponemon Institute as placing the average cost of a data breach at £82 (US$ 136) per compromised record.

With a potential cost going beyond the billion-dollar mark, Smith says that "prevention really is far cheaper than a cure." 

Barmak Meftah, president and CEO of AlienVault, the open source security software firm, added that, when a major breach occurs, it is vital that other major retailers step up their security to high alert and take lessons from what has happened because in all likelihood - they will be next. 

"This was recently witnessed with Neiman Marcus and other major retailers in the US being hit using the same techniques used in the Target breach,” he explained. 

Lamar Bailey, director of security R&D with TripWire said that a chain is only as strong as its weakest link - and Target learned that lesson the hard way last year.

"It has been a common occurrence for organisations to be hacked via weak security at their partners or supply chains. What happened to Target and Neiman Marcus is nothing new but they were affected on a much bigger scale," he said. 

“For many years the US card issuers have neglected to move to more secure credit card technology because of the cost required to upgrade the cards and infrastructure, with the large expense being replacing stolen cards and money for consumers,” he added.

"I hope this will change the card issuer's minds. Since Target and Neiman Marcus representatives decided not to appear on Capitol Hill, I expect we will see some discussions about new privacy and credit laws coming from the US Congress in the coming months."

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

4% of Googlebots are fake and can launch attacks

4% of Googlebots are fake and can ...

Admins' fear of damaging their SEO gives malicious search engine bots a 'VIP pass' into sites.

Brit Lauri Love faces more US hacking charges

Brit Lauri Love faces more US hacking charges

Lauri Love, a 29-year-old British man from Stradishall in Suffolk, has been charged by a US court with hacking into multiple US government computers and stealing more than 100,000 employee ...

More questions than answers as BBC outage fuels DDoS talk

More questions than answers as BBC outage fuels ...

The British Broadcasting Corporation was hit by a prolonged outage on its website and iPlayer video-on-demand service (VOD) last weekend, raising questions about the cause and whether it was subjected ...