Cyber criminals are still offering to sell thousands of credit and debit card numbers that were stolen from Maine customers who shopped at Target during the holiday season, and the retail chain revealed Friday that information from tens of millions more customers than previously announced was stolen during its data breach.
Two underground websites selling stolen card numbers listed a combined 5,650 card numbers, security codes, expiration dates, and card holder names that were stolen from Target’s stores in Augusta, Bangor, Biddeford, Topsham and South Portland.
The websites are believed to be operating out of Ukraine in Eastern Europe, said Maine Assistant Attorney General Linda Conti, and that’s likely the primary reason why they have not been taken down and their operators arrested.
“We can’t just go into another country and arrest someone,” Conti said, and Ukraine is one of many countries that do not have extradition treaties with the U.S..
That doesn’t mean it will be impossible to go after the perpetrators, said Conti. “The federal government has prosecuted people (in countries without treaties), but it’s not as easy as if they were right here in this country.”
Minneapolis-based Target Brands Inc. revealed Friday that the names, mailing addresses, phone numbers and email addresses of as many as 70 million U.S. customers were compromised in the data breach, in addition to the 40 million customer credit and debit card numbers that were stolen from Target’s U.S. stores from Nov. 27 to Dec. 15.
The company previously disclosed that millions of encrypted PIN numbers for customers’ debit cards also were stolen. It is not yet known whether the hackers who stole the PINs have managed to decrypt them. To date, there have been no reports of any of those PINs being offered for sale.
Target warned that the stolen personal information could be used to perpetrate scams against its customers, such as calling or emailing them while posing as the retailer to obtain Social Security numbers and other information needed for identity theft.
It warned customers not to give out Social Security numbers, bank account numbers or other sensitive information to anyone claiming to be a Target representative.
Dozens of black market websites reportedly are selling data stolen from the retailer for about $10 to $100 per card, depending on the issuing bank, expiration date and type of card.
The sale listing for each card shows the first six digits of the card number, also called the bank identification number, which identifies the issuing bank.
Also listed is the name of the bank, the expiration date, whether it is a consumer, business, gold or platinum card, and the location from which the numbers were stolen.
Location is important to thieves, since banks often flag transactions as potentially fraudulent if they are made far from where the card is customarily used.
The listings also indicate whether the data includes detailed “Track 1” information, such as the card holder’s name and a security code embedded in the card’s magnetic strip.
The hackers did not obtain the three- or four-digit security codes imprinted on the back of most credit and debit cards, according to Target.
The Portland Press Herald is not publishing the online addresses of the two websites it investigated because they are criminal enterprises and the danger to those who visit the sites is unknown.
Card data has been added to the underground sites in batches of about 120,000 to 500,000 accounts at a time since Dec. 11. Any visitor to the sites can register and browse the databases.
The most recent batch of card data is for cards issued by foreign banks, many from Canada.
To purchase the stolen data, a buyer must first send money to the website operators, either via a virtual currency such as Bitcoin or a wire transfer via MoneyGram or Western Union.
Both websites list the wire transfer recipient’s location as Ukraine.
Websites hosted in countries such as Ukraine can be difficult to take down, Conti said, but a Target representative told her that the company has shut down some criminal websites related to the data breach.
A list of those sites was expected to be made public by Monday, she said.
Meanwhile, Target said Friday that it continues to investigate how such a huge volume of customer data was stolen.
So far, the company’s explanation has lacked specific details, including the method by which thieves hacked Target’s systems.
“In mid-December, we learned criminals forced their way into our system, gaining access to guest credit and debit card information,” the company said in a written statement. “We have partnered with a leading third-party forensics firm who is thoroughly investigating the breach.”
Target spokeswoman Sarah VanNevel said in an email Friday that she could not comment beyond what the company said in its written statement.
“While we can’t provide specifics because the investigation is ongoing, we are working closely with the United States Secret Service and the Department of Justice to bring those responsible to justice,” the statement said.
J. Craig Anderson can be contacted at 791-6390 or at: