Target has confirmed reports that hackers infected Target’s point-of-sale terminals with
malware (POS malware) to steal the payment card information from millions of customers, the retailer’s chief executive has confirmed.
The security breach, which yielded the personal information of as many as 110 million customers, was first identified on December 15, four days before the breach was publicly revealed, CEO Gregg Steinhafel told CNBC during an interview. Target revealed Friday that the security breach it suffered between November 27 and December 15 was larger than originally believed, yielding the names, mailing addresses, phone numbers, and e-mail addresses for near three times its original estimate of 40 million customers.
“Sunday [December 15] was really Day 1. That was the day we confirmed we had an issue and so our number one priority was … making our environment safe and secure,” Steinhafel said in the interview. “By six o’clock at night, our environment was safe and secure. We eliminated the malware in the access point, we were very confident that coming into Monday guests could come to Target and shop with confidence and no risk.”
Steinhafel defended the four-day delay in its notification process as necessary for investigators and consumer preparation.
“Day 2 was really about initiating the investigation work and the forensic work … that has been ongoing. Day 3 was about preparation. We wanted to make sure our stores and our call centers could be as prepared as possible, and Day 4 was about notification,” he told CNBC in an interview scheduled to air Monday.
The practice of payment card skimming at point-of-sale terminals has become more frequent in recent years, often victimizing customers of well-known retailers. Bookseller Barnes & Noble discovered in fall 2012 that hackers had broken into keypads at more than 60 locations around the United States and made off with customers’ credit card information. That same month, two Romanian men pled guilty to hacking point-of-sale terminals at hundreds of Subway sandwich stores in the US to steal credit card data from more than 146,000 accounts.