For nearly a month, retail giant Target has been engaged in damage control from the news that it was the victim of a massive data breach. It first announced on Dec. 19 that about 40 million credit and debit card accounts were compromised by a massive data breach.
Then the retailer disclosed that along with the theft of credit card information, the hackers also took personal information. Target says that up to 70 million of its customers could have had their personal information stolen, including names, email addresses, phone numbers and mailing addresses.
The breach, in other words, is much broader than initially believed. Considering the breach occurred during a critical holiday-shopping period and that it impacted so many of its customers, the company has some serious explaining to do. People who shop at Target want their questions answered sooner rather than later. But this is still a developing story, and Target is still keeping some details close to the vest. Here is what we know so far, along with what Target shoppers should be doing to avoid being victimized by identity thieves or, failing that, to minimize the potential damage.
Target’s Massive Data Breach: 10 Things You Need to Know
By Don Reisinger
The First Concern? Your Credit and Debit Cards
Target announced last month that hackers stole approximately 40 million debit and credit cards.
The information the hackers collected allowed them full access to card numbers and could potentially open the door for them to make fraudulent purchases.
Target Will Cover Fraudulent Charges
Speaking of fraudulent charges, Target says that consumers need not worry. On an FAQ page on its site, Target reassured its “guests” that they will not be liable for any fraudulent charges that might arise because of this data breach. It’s not clear whether significant numbers of Target shoppers have been hit with fraudulent charges.
Free Credit Monitoring and Identity-Theft Protection
Target, like many companies that have experienced data breaches in the past, will offer its customers free credit monitoring for a year. Target has also promised to pay for a full year of identity theft protection for all affected guests. Target plans to share more details of that offering soon, but its response is the standard in the security space when such a large-scale breach occurs.
The Credit Card Data Was Stolen Over a Few Weeks
It’s shocking just how long the Target data breach went on before the breach was discovered.
According to Target, the breach started on Nov. 27 and continued until Dec. 15 before the point of entry was found and blocked. That gave the hackers plenty of time to collect names, card numbers, expiration dates and security codes on the stolen cards.
The Black Market for Stolen Credit Cards Is Booming
Reports suggested recently that the underground market for stolen credit card numbers is booming. In fact, a report from security news site KrebsOnSecurity said that cards are being sold for anywhere from $20 to more than $100 each on black market sites.
The cards are reportedly being sold in one-million-card batches.
Data Loss Numbers Increase
According to Target, up to 40 million credit and debit cards, including full identifying information, was stolen. In addition, up to 70 million customers had their personal information taken, giving hackers another opportunity to generate revenue from the breach. Such sobering data wouldn’t be complete without a dose of reality: Target says that despite the breach, it will still generate a profit of $1.20 to $1.30 in earnings per share for the fourth quarter. What’s more, sales went down after the announcement of the breach, but have “since shown improvement in the last several days,” according to the company.
Target Claims Canadian Customers Are Safe—So Far
So far, Target has said that the breach impacted only U.S.-based customers. In fact, the company wrote on its FAQ page that Canadian customers need not worry about being looped into this massive breach.
Here’s hoping it stays that way.
The Big Question on PINs
There’s an ongoing question surrounding PINs and the Target breach. Target has said that the hackers collected PIN data, but the company claims it’s “strongly encrypted” and is therefore “safe and secure.” Some customers have understandably expressed concern over the PINs, but the company line right now is that they shouldn’t worry.
Ongoing Scams are Wreaking Havoc
Target has posted guidelines on its Website for sniffing out possible scams.
The company said that its customers should particularly be on the lookout for a wide range of scams, including phishing, smishing (the text-message route for phishing attacks) and social engineering, designed to steal a person’s identity.
All Target customers should be on the lookout for anything suspicious.
Target Says the Issue Has Been Resolved
Why not end on a small dose of good news? According to Target, the hole that allowed hackers to break into the company’s network has been plugged and the company now believes that its systems are secure. Based on how this has gone so far, however, don’t be surprised if Target’s “ongoing investigation” reveals yet more breaches or security leaks.
Don Reisinger is a freelance technology columnist. He started writing about technology for Ziff-Davis’ Gearlog.com. Since then, he has written extremely popular columns for CNET.com, Computerworld, InformationWeek, and others. He has appeared numerous times on national television to share his expertise with viewers. You can follow his every move at http://twitter.com/donreisinger.