By Peninsula Daily News
and Associated Press
NEW YORK — Target’s massive pre-Christmas security breach may have affected 110 million people.
The incident could turn out to be one of the largest data breaches on record for a retailer, surpassing an incident uncovered in 2007 that saw more than 90 million records pilfered from TJX Cos. Inc.
Target Corp. disclosed last month that about 40 million credit and debit cards may have been affected by the breach that occurred between Nov. 27 and Dec. 15.
But according to new information released Friday, those criminals also stole personal information — including names, phone numbers as well as email and mailing addresses — from as many as 70 million to 110 million customers who could have shopped at stores outside of that timeframe.
Free credit monitoring
The company vowed that “guests will bear absolutely zero liability for charges they didn’t make.”
Target also announced one year of free credit monitoring and identity theft protection to all customers who have ever shopped its U.S. stores.
Credit monitoring services help consumers keep tabs on their credit reports.
The services track consumers’ credit reports and immediately send an alert if any changes or suspicious activities occur.
The services typically cost $10 to $15 per month.
While Target hasn’t confirmed yet how the credit monitoring program will work, consumers can phone 866-852-8680 for more information.
‘Phishing scams’
Meanwhile, the Washington state Attorney General’s Office warns consumers to be on high alert for “phishing” emails — emails that look like they originate from Target but are actually scams directed at obtaining personal information.
Phishing emails have already appeared offering “free” Target gift cards and Target-related credit card monitoring.
They typically mention “Target” in an email that directs consumers to a website with the word “Target” in its URL.
Do not give out personal information to someone who contacts you before going directly to Target’s website to confirm the presented information is correct.
The most up-to-date data breach information for consumers — including what’s happening on the credit monitoring program — can be found on Target’s website: https://corporate.target.com/about/payment-card-issue.
Q&A
Q: How did this happen?
A: Target has said that the breach was caused by malware that affected its U.S. stores.
Ken Stasiak, founder and CEO of SecureState, a Cleveland-based information security firm that investigates data breaches like this one, says it’s likely that the perpetrators infiltrated Target’s main information hub with malware and from there were able to access the store point-of-sale systems.
Once the malware was in the POS systems, it could collect credit and debit card numbers as the cards were swiped.
Stasiak notes that retailers routinely collect personal information such as addresses, emails and phone numbers through things such as rewards cards when sales are made, so that information is also contained on POS systems just like credit card numbers.
Q: If my card number was stolen, what exactly am I on the hook for?
A: In most cases consumers aren’t responsible for fraudulent credit card charges.
Credit card companies are often able to flag the charges before they go through and shut down your card.
If that doesn’t happen, the card issuer will generally strip charges you claim are fraudulent off your card immediately.
Usually the worst thing consumers have to deal with is the hassle of getting a new credit card.
But since debit cards don’t come with all of the same protections, holders of those kinds of cards may have a harder time getting their money back.
And the banks and credit card companies ultimately won’t be stuck with the bills, either.
Since the fraud has been tied to Target, the retailer will be responsible for compensating them.
Q: What are the odds that my identity will be stolen?
A: There’s no way to know. But Stasiak says the revelation that personal information was taken in addition to credit and debit card data makes it much more likely that the thieves weren’t just out to steal credit card numbers for financial gain.
For instance, criminals could use that personal information to send specific phishing emails to Target shoppers that prompt them to click on links that send malware to their own computers and steal even more information.
And identity theft damage could be much harder for victims to repair than credit card fraud.
In addition, if the theft is discovered months or even years down the road, it will be much harder to tie to the Target breach, Stasiak says.
Q: What should I do to protect myself?
A: Consumers who think they may be affected should check their credit card statements carefully for potentially fraudulent charges.
Experts say in cases like this when a huge amount of information is stolen, the thieves often sell it on the black market to the highest bidder.
As a result, it could be a while before someone tries to use the information for nefarious purposes.
If you see suspicious charges, report the activity to your credit card companies and phone Target at 866-852-8680.
You can report cases of identity theft to law enforcement or the Federal Trade Commission.
Stasiak says that since it could be a long time before identity theft victims even realize they’ve been hit, people should take Target up on its offer of free credit monitoring.
Those services, for instance, inform consumers if someone takes out a loan in their name.
He also advises potential victims to change email passwords and to make sure that the same passwords aren’t being used for other accounts like Facebook.
And while the company has not said that its website was compromised in the attack, he says shoppers also should change their passwords related to those, since it’s apparent that Target doesn’t yet have a full grasp of the damage.
Consumers can get more information about identity theft on the FTC’s website at www.consumer.gov/idtheft, or by calling the FTC, at 877-IDTHEFT (438-4338).
