The Target breach is still being investigated but it does appear that the attack was done via malware that got into Target’s “point-of-sale” system.  That was the latest update in a statement issued by Target CEO Gregg Steinhafel and as reported by Tracy Kitten (; “Target: Breach Caused by Malware”).  All Mr. Steinhafel is saying, at this time, is that Target is working with the Secret Service and the Justice Department on this investigation.

Consumers who used debit cards at Target from November 27th through December 15th (the duration of the hacking) do have legal protection against unauthorized uses of their debit cards.  But consumers need to act very fast in order to avail themselves of the protections afforded under the Electronic Fund Transfer Act (EFTA)  

An excellent discussion of the EFTA‘s coverage can be found on the Federal Trade Commission’s (FTC) website (www.consumer.ftc/gov/articles/0213-lost-or-stolen-credit-atm-and-debit-cards; “Lost or Stolen Credit, ATM, and Debit Cards”).

As outlined in the FTC article, under the EFTA if someone makes unauthorized transactions with a consumer’s debit card, but that card was not lost, then the consumer will not be liable for those transactions as long as the consumer has reported those unauthorized transactions within 60 days of receiving her debit card statement.

The article also outlines the EFTA’s additional protections for a lost or stolen debit card; those liability limitations depend on whether the card is reported lost or stolen before or after someone uses it.  For example, the consumer is not responsible for any unauthorized uses if she reports it missing before the card’s been used.  If someone has already made unauthorized transactions using the consumer’s card, then her liability depends on how quickly she reports that the card’s been lost or stolen; specific time requirements with their associated liability limits are outlined in the FTC article.

As I’ve previously urged, consumers who used their debit cards at Target need to be very pro-active in contacting their issuing institution in order to protect themselves and get the EFTA liability protections.