Timeline: Retail cyberattacks hit millions

May 5, 2014: 2:08 PM ET
target store black friday
Shoppers in a Target store on Black Friday, when the massive breach that hit 110 million customers began.
NEW YORK (CNNMoney)

A breach of Target could be the largest in retail history. It was one of several retailers hit by sophisticated cyber-criminals in 2013. The full extent of all these breaches aren't yet known, and it's not clear if any of the cases are related.

Here is a timeline of events associated with the breaches:

May 5: Gregg Steinhafel, the chairman and CEO of Target during the breach, steps down. Chief Financial Officer John Mulligan will serve as interim CEO, while board member Roxanne Austin will serve as interim non-executive chair of the board. Steinhafel was with the company for 35 years.

April 29: Target says it will accelerate a transition to using more secure chip-and-PIN cards and card processors. It also announces the hiring of a new chief information officer, and says vendors are no longer allowed access to the breached server.

March 17: Sally Beauty, a significant player in the cosmetics industry, announces a breach of credit card data involving less than 25,000 cards. It opened an investigation on March 5 after discovering an attempt to breach its network.

March 14: Target warns in a federal regulatory filing that its ongoing investigation could turn up "additional information that was accessed or stolen."

March 5: Target says it is replacing its chief information officer and filling two other top information security posts as part of an "an overhaul of our information security and compliance structure and practices at Target."

Feb. 4: Mulligan, the Target CFO, testifies to Congress that the company would accelerate its investment in advanced credit card technologies. Mulligan says the company first learned of the breach when notified by the Justice Department. Neiman Marcus and law enforcement representatives also testify.

Feb. 2: White Lodging says it is investigating a breach involving bars and restaurants at 14 hotels it manages, including Marriott (MAR), Radisson, Renaissance, Sheraton, Westin and Holiday Inn locations. The breach occurred between March 20 and Dec.16, 2013. Independent security researcher Brian Krebs first reports this breach on Jan. 31.

Jan. 30: Target says stolen vendor credentials were used in its massive breach.

Jan. 28: Consumer Bankers' Association, which represents nearly 60 of the nation's largest card-issuing banks, says its members have responded to the Target breach by replacing 15.3 million consumer cards at a cost of $153 million.

Jan. 26: Michaels, the country's largest crafts chain, reports "possible fraudulent activity" on some of its customers' payment cards, suggesting there may have been a breach. CEO Chuck Rubin says the company has not confirmed a breach, but wanted to alert customers.

Jan. 23: Neiman Marcus acknowledges cyber-criminals stole card information for 1.1 million customers who shopped at the retailer between July 16 and Oct. 30, 2013. About 2,400 cards were later used fraudulently, it said.

Jan. 16: Federal investigators warn retailers and other companies that accept card payments about an advanced piece of malicious software that potentially affected a large number of stores. It is widely believed this was the malware that infected Target.

Jan. 14: The nation's largest retail bank, J.P. Morgan Chase (JPM), says it is replacing 2 million customer cards, prompted by the Target hack.

Jan. 11: Neiman Marcus says a cyber-security firm has found a payment card breach. The company says it is too early to tell how many customers have been impacted.

Jan. 10, 2014: Target says hackers also obtained personal information -- including name, address, phone number and e-mail address -- for up to 70 million customers. It says there may be some overlap with the 40 million impacted by the credit and debit card breach, but it couldn't say how many were counted twice.

Dec. 27: Target says cyber-criminals made off with PIN data, adding that information was "strongly encrypted" and likely remains "safe and secure." It had earlier said PIN numbers were not part of the breach.

Dec. 22: Chase Bank implements strict limits on how much customers can withdraw and spend using debit cards, citing an effort to prevent fraud. Within days, it relaxes those limits.

Dec. 21-22: Target offers customers a 10% discount on many items in its stores.

Dec. 19: Target confirms a breach from Nov. 27 to Dec. 15 involving up to 40 million cards.

Dec. 18: The Secret Service acknowledges it is investigating a reported breach that involved credit and debit cards at Target (TGT). The news was first reported by Brian Krebs, a security researcher and blogger.

--CNNMoney's Jose Pagliery, Chris Isidore and Katie Lobosco contributed to this report

Join the Conversation
Search for Jobs