Timeline: Retail cyberattacks hit millions

  @gregorywallace March 5, 2014: 10:34 AM ET
target store black friday

Shoppers in a Target store on Black Friday, when the massive breach that hit 110 million customers began.


A breach of Target could be the largest in retail history. It was one of several retailers hit by sophisticated cyber-criminals in 2013. The full extent of all these breaches aren't yet known, and it's not clear if any of the cases are related.

Here is a timeline of events associated with the breaches:

March 5: Target said it is replacing its chief information officer and filling two other top information security posts as part of an "an overhaul of our information security and compliance structure and practices at Target."

Feb. 4: Target Chief Financial Officer John Mulligan testifies to Congress that the company would accelerate its investment in advanced credit card technologies. Mulligan says the company first learned of the breach when notified by the Justice Department. Neiman Marcus and law enforcement representatives also testify.

Feb. 2: White Lodging says it is investigating a breach involving bars and restaurants at 14 hotels it manages, including Marriott (MAR, Fortune 500), Radisson, Renaissance, Sheraton, Westin and Holiday Inn locations. The breach occurred between March 20 and Dec.16, 2013. Independent security researcher Brian Krebs first reports this breach on Jan. 31.

Jan. 30: Target says stolen vendor credentials were used in its massive breach.

Jan. 28: Consumer Bankers' Association, which represents nearly 60 of the nation's largest card-issuing banks, says its members have responded to the Target breach by replacing 15.3 million consumer cards at a cost of $153 million.

Jan. 26: Michaels, the country's largest crafts chain, reports "possible fraudulent activity" on some of its customers' payment cards, suggesting there may have been a breach. CEO Chuck Rubin says the company has not confirmed a breach, but wanted to alert customers.

Jan. 23: Neiman Marcus acknowledged cyber-criminals stole card information for 1.1 million customers who shopped at the retailer between July 16 and Oct. 30, 2013. About 2,400 cards were later used fraudulently, it said.

Jan. 16: Federal investigators warn retailers and other companies that accept card payments about an advanced piece of malicious software that potentially affected a large number of stores. It is widely believed this was the malware that infected Target.

Jan. 14: The nation's largest retail bank, J.P. Morgan Chase (JPM, Fortune 500), says it is replacing 2 million customer cards, prompted by the Target hack.

Jan. 11: Neiman Marcus says a cyber-security firm has found a payment card breach. The company said it is too early to tell how many customers have been impacted.

Jan. 10, 2014: Target says hackers also obtained personal information -- including name, address, phone number and email address -- for up to 70 million customers. It says there may be some overlap with the 40 million impacted by the credit and debit card breach, but it couldn't say how many were counted twice.

Dec. 27: Target says cyber-criminals made off with PIN data, adding that information was "strongly encrypted" and likely remains "safe and secure." It had earlier said PIN numbers were not part of the breach.

Dec. 22: Chase Bank implements strict limits on how much customers can withdraw and spend using debit cards, citing an effort to prevent fraud. Within days, it relaxes those limits.

Dec. 21-22: Target offers customers a 10% discount on many items in its stores.

Dec. 19: Target confirms a breach from Nov. 27 to Dec. 15 involving up to 40 million cards.

Dec. 18: The Secret Service acknowledges it is investigating a reported breach that involved credit and debit cards at Target (TGT, Fortune 500). The news was first reported by Brian Krebs, a security researcher and blogger. To top of page

Join the Conversation
CNNMoney Sponsors
Market indexes are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer LIBOR Warning: Neither BBA Enterprises Limited, nor the BBA LIBOR Contributor Banks, nor Reuters, can be held liable for any irregularity or inaccuracy of BBA LIBOR. Disclaimer. Morningstar: © 2014 Morningstar, Inc. All Rights Reserved. Disclaimer The Dow Jones IndexesSM are proprietary to and distributed by Dow Jones & Company, Inc. and have been licensed for use. All content of the Dow Jones IndexesSM © 2014 is proprietary to Dow Jones & Company, Inc. Chicago Mercantile Association. The market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. FactSet Research Systems Inc. 2014. All rights reserved. Most stock quote data provided by BATS.