A look at what happened and why Target has failed its customers in so many ways.
Dec. 18: News of the breach is reported by data and security blog KrebsOnSecurity. The Wall Street Journal reports that the Secret Service is investigating.
Dec. 19: Target acknowledges the data breach publicly, saying the matter is under investigation. It states that information accessed included customer names, credit or debit card numbers used, their expiration dates and encrypted security codes. The retailer’s website and customer service hotlines become jammed as Target begins to assist customers with protecting their data. Molly Snyder, a spokeswoman for Target, tells WSJ that “at this time we have no indication that PIN numbers were impacted.”
Jan. 10, 2014: Target says that some additional 70 million customers had their personal information stolen during the holiday data breach. The stolen information may include names, mailing addresses, phone numbers, or emails.
The retailer said it notified authorities and financial institutions immediately after it was made aware of the unauthorized access, and had hired a forensics team to thoroughly investigate how the breach may have happened. The issue that allowed the breach has been identified and resolved, according to Target spokeswoman Molly Snyder.
My problem with this whole thing is that Target really failed to educate their customers about the possibilities of future attacks on their identities. Knowing that the thieves “possibly” stole names, addresses, telephone numbers, email addresses, Target needed to provide more in the way of education and comprehensive protection. Customers have not been briefed on the four ways customers may get “hacked”:
If you have an email account, you’re probably already familiar with phishing, which is when you (and thousands of other people) get an email claiming to be “your” financial company, email provider, department store (Target), or best friend (among other identities) in an effort to get you to give them sensitive financial information or personal information (like your Social Security number), or even to click on a link that will collect that information or install a virus or malware onto your computer.
Is just a more targeted form of phishing: hackers will go through lists of contact data looking for people that seem either more vulnerable to phishing tactics or more important – like people who work at financial services companies or customers of Target – and send them tailored emails that appear to come from specific, important people they know. They’re often asked to click on links or download seemingly innocuous files and – bam – the hackers are in.
Vishing is how hackers take advantage of phone number databases – like the ones accessed in the Target andSnapChat hack. They’ll call you and claim to be from your bank (they just need your account number and routing information), the IRS (just confirm your Social Security number), Microsoft (just let them log into your PC remotely) or Target (to provide them with credit monitoring) to try to gain access to your personal or financial information or even install malware on your devices.
Perhaps the newest identity theft technique is smishing – Hackers use cellphone numbers they’ve obtained – through everything from the SnapChat hack to the Target hack – to text people unawares. They can disguise their numbers, pretend to be companies with which you are affiliated or simply encourage you to open a link that can install malware or viruses on your smartphone.
These techniques require that consumers actually fall for it! They require you to let your guard down. They require you to think that Target’s offer of free credit monitoring (one bureau) is all you need to protect yourself, that a hacker having your email address isn’t a big deal, and that once your credit card is replaced, you need not closely monitor your accounts after that.
The fact that target only provided a credit monitoring program for one credit bureau is ridiculous. Having only one bureau being monitored will lead the customer into a false sense of security. Not all information is reported to all three credit bureaus. You could have situations where fraudulent use of the customer’s identity will go undetected because was used to access the customer’s credit. A good example of this is in the auto industry. Many times the finance companies will only use one bureau to determine the customer’s credit worthiness.
February 4, 2014
(Reuters) – Target Corp, which suffered a massive data breach during the holiday shopping season, is speeding up a $100 million program to implement the use of chip-enabled smart cards to protect against cyber theft, a senior company executive said.
In an opinion piece on Monday in the Hill newspaper on the eve of his much-awaited appearance before the Senate Judiciary Committee, Chief Financial Officer John Mulligan said the retailer’s goal was to have the technology in place by early 2015, more than six months ahead of schedule.
This is great news for Target at a very opportune time. They are trying to save themselves and, more specifically, they are trying to save face. In my humble opinion, Target needs to spend additional monies to mitigate the risk of its customers being victimized by fraud.