January 10, 2014

Nationwide retail giant Target today disclosed that a data breach discovered last month exposed the names, mailing addresses, phone number and email addresses for up to 70 million individuals.

The disclosure comes roughly three weeks after the company acknowledged that hackers had broken in late last year and stolen approximately 40 million customer debit and credit card records.

“As part of Target’s ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach,” the company said in a statement released Friday morning.  “This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.”

Target said much of the data is partial in nature, but that in cases where Target has an email address, it will attempt to contact affected guests with informational tips to guard against consumer scams. The retail giant was quick to note that its email communications would not ask customers to provide any personal information as part of that communication.

Target Chairman Gregg Steinhafel apologized for any inconvenience that the breach may have caused customers, and said he wanted customers to know that “understanding and sharing the facts related to this incident is important to me and the entire Target team.”

Nevertheless, the company still has not disclosed any details about how the attackers broke in. This lack of communication appears to have spooked many folks responsible for defending other retailers from such attacks, according to numerous interviews conducted by this reporter over the past few weeks.

This latest disclosure also raises questions about what other types of information may have been jeopardized in this data breach. As part of its statement, Target said it would be offering a year’s worth of free credit monitoring services to those affected. Target does collect Social Security numbers from customers who apply for Target Red Cards, which offer applicants 5 percent cash back if they agree to tie their debit accounts to the Red Card. So far, however, Target has not said anything about compromised Social Security numbers.

Reading between the lines, one might wonder why Target is providing credit monitoring services to those hit by what is essentially a credit card breach. Many people conflate credit card fraud with identity theft, but these are two very different problems. The former is quite easy for the consumer to resolve, and he or she has very little (if any) liability for fraud. Identity theft, on the other hand, generally involves the creation of new or synthetic lines of credit in the consumer’s name, which can take many years and cost thousands of dollars to resolve.

The reason Target is offering ID theft protection as a result of this breach probably has more to do with the fact that this step has become part of the playbook for companies which suffer a data breach. Since most consumers confuse credit card fraud with ID theft, many will interpret that to mean that the breached entity is somehow addressing the problem, whereas experts tell me that this offer mainly serves as a kind of “first response” to help the breached entity weather initial public outrage over an intrusion.

Update, 1:07 p.m. ET: Added additional perspective on this announcement.


190 thoughts on “Target: Names, Emails, Phone Numbers on Up To 70 Million Customers Stolen

  1. RBBrittain

    Target has announced its free credit monitoring service as Experian’s ProtectMyID. Details are posted on Target’s data-breach page.

  2. TheHumanDefense

    All,
    I encourage you to look at the Verizon Data Breach Investigation Report. You can down load the 2013 report (on 2012 investigations) from Verizon site. I do not work for them, but in my work I depend on this report heavily since it is not survey results, but the result of actual investigations. It will give you another perspective on Insider Threat vs. Outsider Intrusions.
    Be diligent, follow your gut, don’t operate in cyber space any different then you would in a strange parking lot at night. Be aware, awareness will help you feel safe and reduce your risk.

  3. Martha

    I just signed up for the Target credit monitoring service. They are using a product called ProtectmyID from Experian. After I signed up, I got a friendly letter from Douglas Sash, VP of Customer Care for ProtectMyID. In it, he outlines all of the ways the product protects me, including scanning the internet for my SSN and up to 3 credit/debit cards to see if any of these are showing up in back market/illegal activity websites. However, there is no link in my profile after I log on to enter my SSN, permission for them to scan it, or the 3 allowed credit/debit card numbers. Target’s breach website does not, interestingly enough, list this internet scanning service as something that is provided by ProtectMyID. So I am wondering if Target purchased a modified product, with few services attached to it, than what is actually marketed by Experian as ProtectMyID. I sent an email to ProtectMyID to find out and will post later about what I discover. Obviously, I would like to enter my Red Card as one of the cards to be monitored, and considering that Target has my SSN and even though they’ve said no SSN’s were taken in the breach, I don’t trust them and I’d like to have that monitored through this service too.

    1. TheHumanDefense

      Martha,
      Seems like you definitely need to do all of that. I am waiting to hear what you hear back from them. Target has been victimized and there for all of us have been victimized. Good luck

    2. laura m.

      Martha and others : Cancel your red card NOW, never trust it again. Everyone I know canceled theirs never to renew. Use cash only in Target or avoid going there. Can’t imagine anyone wanting that red card since it links direct to bank acct. Now, I buy prepaid cards for Wal M, grocery stores and Academy sports, etc. or use cash. Safer: quit using all debit cards now.

  4. laura m.

    Laura Dothan, AL comments: These store breaches are inexcusable and gov. needs to fine them heavy! Sue them for wrongful conduct and failure to protect/secure their data. Class actions nationally. Act now if a victim. Call your state bar for info and referrals. Buy prepaid gift cards or use cash for any stores as they are all at risk.

    1. Serena

      I personally think it’s premature to suggest that Target should be fined. We don’t yet know exactly what went wrong. In my opinion they should only be fined or suffer some other type of punishment if they were negligent. That’s why I still shop at Target, I’m not ready to punish them yet. Keep in mind too that they provide good jobs, lots of jobs. And in my neighborhood they provide the only decent grocery within walking distance of my condo.

      1. JCitizen

        For me it is their reluctance to report problems to customers early. Of course I can understand why a business would hesitate in the middle of the busiest season of the year; but we get angry at this enough that it can foment the kind of “OFF WITH THEIR HEADS!!” attitude you are seeing. The sooner communications start with the public, the more forgiving we can be; or at least I tend to be that way.

        One rule of personal finance credit-worthiness is to communicate with your creditor often and keep uptodate; the other side of the coin applies too!

    2. Savvy Jon

      If we asked “the Federal Government” to punish all those businesses and organizations that have suffered a breach attack, not only would the list be very very long, but it would also have to include various agencies of the Federal Government itself.

      Readers of Brian’s blog have been exposed to enough reports of breach incidents to recognize that there is no perfect security system. As you may recall, Experian (the business that now offers credit monitoring services for victims of the Target breach) was itself the victim of a breach.

      As these attacks increase in frequency and scope, IT security may finally be afforded a larger role in the overall business/organizational strategy.

  5. Mark

    When one buys alcohol at Target (even with cash), they don’t just visually inspect one’s license for age to verify you can purchase it, they scan at least the mag stripe on your driver’s license at the register. Did they lose that data too? (Anything else? Rx info in the pharmacies?) Older licenses may still have SSN on them.

    1. TheHumanDefense

      Mark,
      Good point! I imagine the data onion is getting pealed as we speak and anything could be possible at this time. Somewhere, someone is getting very rich off of this breach.

    2. Mack

      Serena: We transferred our perscription to another drug store from Target. They engaged in wrongful conduct/failure to secure data and will be sued big time. They need to pay- their data security was slacking; no excuse either.

      1. Serena

        Mack, nobody knows exactly what happened so nobody, including you (unless you were directly involved in the theft, that is), knows if Target engaged in “wrongful conduct”. If it makes you feel better to declare war against Target, keep in mind that right now you are acting selfishly. And if you keep declaring war against all retailers who suffer data theft, you might eventually find yourself with no place to shop….

  6. TheHumanDefense

    Just an FYI – There are national news agencies now reporting that other then Target and Neiman Marcus, there are 3 other major retailers now reporting breaches, but have not released the organizations names yet.

  7. Savvy Jon

    Those clamoring for punative measures against Target should be aware the backend processor is the repository for transactional data. And before there is a call for action against them, it might be appropriate to recognize the level of sophistication of the attackers. Our US financial system is under heavy attack, not just retailers. Our top banks are very aware of the increased threat level and are collaborating with law enforcement and academia to address the threat. That being said this is an ongoing war, this attack on US retail businesses was just the most recent battle.

    1. Serena

      IT security reminds me of the fight against harmful bacteria and viruses. Bacteria and viruses are one step ahead of medicine and probably always will be due to their high degree of adaptability and innate persistence. If Target is a victim of a very sophisticated hack attack that no reasonably competent IT security team could have prevented, then wishing to punish Target would be equivalent to wishing to punish a physician for having no way to treat a drug-resistent microorganism.

  8. Mark

    Target has done a far better job commuicating on the breach than Sony or others who have had one. Forensics work needs to be accomplished in order to truly determine what took place and the damage caused.

    One thing that we need to move to in this country is to have the major card brands install smart chip technology into the cards. And yes, there is an associated cost in doing so but it has to be better than where we are today.

  9. Savvy Jon

    Dr. Peter Sandman, developer of Outrage management made this comment to me, “crisis communication best practice recommends making sure that the first assessment of the seriousness of the crisis is the worst assessment. It’s okay to come back later and say the situation is not as bad as we feared. It’s devastating to come back and say it’s worse than we thought. An organization that has to do the latter more than once often goes out of business.” Target made this classical crisis management communications error.

    1. JCitizen

      I totally agree, which is why I’m pissed at Target!

  10. afterthoughts

    I was in Target today and while paying the Point of Sale system asked for my Driver’s License. The clerk didn’t understand that as I was buying pants. She canceled the whole thing and started over… this time it was fine. BUT, when I went to pay, it would not accept my PIN Number, and I was forced to run it through as Credit (Visa line).

    This makes me suspect that the system is STILL compromised…

    1. JCitizen

      I don’t use my PIN anyway, for just that reason, that is just one more thing they DON’T get, and better for me! Maybe they decided to stop using manually enterned PINs at all, because, like you said – they haven’t got it secured even yet!

    2. voksalna

      One of the problems with breaches is what may look like a symptom of still being breached may actually be a symptom of them fixing the breach. There are often a lot of things that need to be fixed and reset, and sometimes this can be a complicated thing to remedy and repair, depending on how deeply a corporate network is compromised.

      Which is not to say that I believe their problems are totally fixed or that I believe that they aren’t. That sort of symptom seems more like a ‘fixing problem’ symptom than a ‘compromise problem’ symptom, considering how likely it was those problems were not present before the breach was discovered.

  11. JD

    Mr. Krebs,
    If you’d potentially been exposed in the Target data breach and had gotten the email Target sent out today, would you sign up for the Experian ProtectMyID service? I am inclined not to because of your earlier article from 10/20/13 about the Adobe data breach. I would value your opinion on this.

  12. Not Happie

    I have a friend who posted this(her card got swiped at Target, and her bank confirmed that is where her info was stolen):

    “The thieves have my cell # & posed as my bank asking me for my online banking security code. I hung up, of course. But it even showed up in my caller-ID as my bank’s 800 #.”

    I’m concerned that having had money from her account stolen(to the tune of $1500m though it was replaced) may not be the end of the story for her.

    What measures should she(and all who are in danger) take in minimizing chances of more damage from identity theft?

    1. TheHumanDefense

      Not Happie,
      Well, I know you don’t want to hear this, but there is no silver bullet. So, can you be 100% sure, I cannot tell you.
      Make sure you use any credit monitoring you or your friend might be offered by Target. See some of my other suggestions here:
      Use your credit card or banks available protections on a transaction level.
      1. Have a Text sent to you for any transaction over 100.00 (or whatever you are comfortable with)

      2. Have a Text sent to you for any cash withdraws over 100.00 (or whatever you are comfortable with)

      3. Do not use your debit card as a debit card. If a card skimmer is present within the POS (point of sale) device that you are sliding your card through, they will capture your PIN and now they can clone the card and wipe out your bank account.

      4. Use credit cards whenever possible. Without getting into all of the laws and protection, I just want you to understand that you are always, ALWAYS using the banks money when you use a credit card until you pay it back. They get loans to provide loans to the customer. This is why they take immediate action on credit card fraud. Plus, its not tied to your lively hood.

      5. Use cash when possible, if you can, use cash. I know it sounds crazy, but fact is I only use cash to purchase gas because of the ramped use of skimmers in my region of the country at gas pumps.

      6. Use PASSPHRASES instead of passwords. Without getting into all the technical aspects, just know that your safer if any passphrase you make is over 15 characters.
      Example: patriotgamesPage57Chapter8 this type of passphrase increases the time it takes to crack it over 10 years. change it about once a quarter or every 160 days.

    2. voksalna

      She could call her bank and ask for an extra security method. She should get her bank card reissued. She might want to consider having a ‘fraud alert’ placed with the credit bureaus (a standard practice for identity theft victims). She might want to consider getting a new sim that she only uses for banking if she has a dual sim card and change the phone number with the bank so that the thiefs do not have her phone number (both her number and the bank’s number can be spoofed easily through cheap electronics or online means). All of these depend on paranoia levels. HumanDefense was right in suggesting to have a passphrase with the bank customer service; if you do not set one explicitly, they will use a common identifier like in the US SSN or address or mother’s last name if any thing at all. This is your best defense along with her getting a new debit card issued. If they called her bank is she sure it was not malware/a banking trojan, though? If it is then most of this will not help much if her computer is infected and she is just entering in new information.

      1. TheHumanDefense

        voksalna,
        Your suggestions are great!! Just wish I wasn’t detracted during my note and would have thought to post some of this stuff. 🙂
        Great stuff my friend, and after 18 years in the credit card business, I have never, ever seen so much card fraud as I have in the last 5 years. Man-o-shevits!!!!!

        1. voksalna

          :). Your ideas were great too. And I have been a repeated and emphatic commenter on the issue of using cash. Aside from large purchases and places that require a credit card (and funny enough most of the places that do insist on a credit card explicitly ARE large purchases — a hold on a card for a car rental for instance) the reliance on debit cards for day to day spending is a disaster waiting to happen for most people. If convenience and not wanting to carry cash all of the time is an issue and you are a regular purchaser somewhere (for instance a grocery store) many stores have their own branded gift cards in reasonable denominations. Or there are always the branded Visa/MC/AmEx gift cards you can get at most American gas stations, grocery stores and pharmacies.

          People think because someone suggests ‘don’t use your card’ that there are no other options. Cash is the best option, but stored value cards can be a very useful alternative and have the potential to limit loss for the consumer.

  13. Martha

    IMPORTANT MISLEADING INFORMATION ABOUT FREE TARGET CREDIT MONITORING, PROTECTMYID

    Credit monitoring service from Target is not what it appears. I found this out after signing up the first day for what is being called “ProtectMyID,” which is a specific product for credit monitoring offered for sale by Experian. After I signed up, I received a personalized and polite letter from Douglas Sash, Vice President of Customer Care at ProtectMyID. The letter was addressed to my name, and included my specific customer number. It thanked me for signing up as a new member of ProtectMyID, and went on to enumerate all of the services that ProtectMyID uses to protect me.

    The problem is that some of these services are not actually included in the program Target signed up for. Probably the most valuable of all, the service where ProtectMyID scans the Internet for signs of illegal use of my credit and debit cards and Social Security number, is NOT included in the Target package, even though it is listed in the letter from Mr. Sash. Since my Red Card was used during the data breach, the first thing I would obviously want to do is to have black market websites on the Internet scanned for my card. But this service is not available, nor is the lost or stolen wallet assistance available, also listed in the letter from Mr. Sash as a provided service under my account number.

    I discovered that these services were not offered because they are not listed in my Protection Center, which Mr. Sash’s letter instructs me to visit next as a new member.

    Under ProtectMyID generally available to the public, these services appear under the Protection Center.

    When I contacted ProtectMyID’s customer by email to inquire about this discrepancy, I received an email back telling me that my issue could not be resolved by email. I was then instructed to call customer service. When I did that, I was shuttled around but eventually ended up with someone who admitted that the letter I got was just a generic one, and that the service Target signed up for did not include either internet scanning or lost wallet services, contrary to Mr. Sash’s letter.

    I told the representative that I wanted to add the internet scanning service to what I received from Target and she told me that I could not do that. To get that service, I would have to pay for a whole new subscription at the full cost, which I think is $17.95 a month, even though that would duplicate several of the services Target already activated for me.

    This is a very disingenuous way of doing business, both on the part of Target and Experian, and does constitute blatant false advertising and misleading the consumer. The letter I received is, in fact, stating that I am getting services that are not actually provided to me. The customer service mope explained that this is just a generic letter that goes out to all customers, even if they don’t get the full package of services. My opinion is that since they essentially created a modified product for Target’s 110 million data breach customers, they certainly could have taken the time and bother to have composed a letter from Mr. Sash that delineated the services included in that specific product.

    The really stupid thing here from the Target perspective is why they chose to exclude the one service people with stolen cards would want–the Internet monitoring for their stolen card. They have said that Social Security nos. were not stolen and that this is an issue of stolen cards only. So why are they giving people “credit monitoring” and not credit card monitoring?

    The other thing people need to know about this service is that it only monitors their Experian credit report, not the ones from Equifax or Transunion.

    Read the description of your monitoring service that Target provided you carefully. It is NOT a comprehensive credit monitoring program, and it is NOT ProtectMyID, contrary to the letter you will receive from Mr. Sash.

    1. TheHumanDefense

      Martha,
      I am very happy you posted this. I hope that other organizations can see this as a lessoned learned for their incident response plan. If your going to offer a service, lets not get cheap about it. Cheap = don’t care

      Thanks again, this is very good information.

  14. Ellen Camner

    Mr. Krebs…I believe you are a giant in the security arena, I’m most interested to know if you have a vision and view of the potential future of security in general and if you feel there are, or will be, any effective ways to deal with the nightmares we all have to endure. Ellen (formerly of Burke, VA)

Comments are closed.