Jason Del Rey

Recent Posts by Jason Del Rey

In Wake of Card Data Breach, Target’s Redcard Website Has Been Down All Day


When Target this morning acknowledged a security breach of data from up to 40 million credit and debit cards used in its stores over a two-week period beginning around Thanksgiving, it told its shoppers to monitor their accounts for fishy transactions.

But if the card you’ve used in a Target store recently is one of Target’s very own debit or credit cards, dubbed Redcards, you’re out of luck for now.

The Redcard website has essentially been down all day. I tried to log in for the first time around 11 am ET, but the site wouldn’t load. More than nine hours later, at the time of this writing, the site is still down. The phone line has been down all day as well.

Things are a mess.

Earlier in the day, Target spokesman Eric Hausman gave me this canned statement: “We are experiencing significantly higher volume than normal to our call centers and Redcard website, causing delays. We are working hard to resolve this issue by adding team member support and system capacity as quickly as possible. We apologize for the inconvenience and appreciate our guests’ patience as we build capacity hour by hour until we meet all our guests’ needs.”

When I spoke to him again around 6 pm ET, he said the company didn’t have any further updates.

In its statement this morning, Target told all customers who shopped in a Target store between Nov. 27 and Dec. 15 to check their accounts for the cards they used to make purchases during that timeframe. They did not tell customers to have new cards issued.

Still, Target’s Facebook page is full of concerned Redcard customers who can’t access their accounts, asking for Target to issue new cards across the board. That outcome seems highly unlikely.

For Target shoppers who made purchases in a Target store sometime during that two-and-a-half-week period, this is the information that fraudsters may have on you: Your name, your credit or debit card number, the expiration date and a code known as CVV1 that is stored on the card’s magnetic stripe and is used to verify that a card is being used at a real-world store and not online.

With this information, a person could replicate your card for use in stores or other physical merchant locations.

But Target “has no indication” that the breach included the three- or four-digit security codes printed on the cards, which are used by businesses to guard against fraudulent charges made over the phone or on the Web. There was some miscommunication on Target’s end about this earlier in the day, but Hausman clarified it for me in our chat and confirmed that what I just spelled out is the case.

Why is this important? It means that your card information, even if stolen through the attack, likely cannot be used to make online purchases, assuming websites require the security code printed on the card, as most reputable ones do.

Hausman also said that the company “has no indication at this time” that debit-card PIN codes were compromised. Again, the ongoing investigation by a third-party company could prove that inaccurate, but it appears to be unlikely right now.

The company asserts that the data hacking in no way affects purchases made on Target.com.

Still, on Target’s end, this is just the beginning of the fallout from the breach.

No matter how many times the company tells shoppers that it is now safe to use plastic at their stores, the news will likely have some negative effect on sales during one of the worst possible times of year for such a breach to happen.

Target could also be on the receiving end of fines from credit card companies and banks whose customers get hit with fraudulent charges as a result of this breach.

Separately, the breach is just the latest occasion for some payment industry observers to call for a more strict rollout of so-called chip-and-PIN cards that are prevalent in Europe and widely believed to be less susceptible to fraud than the swipeable cards we use in the U.S. Most types of U.S. businesses will have to install hardware capable of accepting these types of cards by October 2015, or risk taking on responsibility for fraudulent charges as banks and credit card companies shift liability to merchants.

Latest Video

View all videos »

Search »

I think the NSA has a job to do and we need the NSA. But as (physicist) Robert Oppenheimer said, “When you see something that is technically sweet, you go ahead and do it and argue about what to do about it only after you’ve had your technical success. That is the way it was with the atomic bomb.”

— Phil Zimmerman, PGP inventor and Silent Circle co-founder, in an interview with Om Malik