Page 1 of 1

More from Target?

Posted: Thu Jan 16, 2014 7:40 pm
by ResearchMed
Well...

We've just received a charming email from Target.

Among other things, it states:

"I am writing to make you aware that your name, mailing address, phone number or email address may have been taken during the intrusion."

This was apparently determined "late last week".

This is "interesting", because the last time we were in a Target store was in November, 2012, and before that? About 5 years earlier.
And I'm not sure when we last shopped there online. Ah, yes. Mid-summer, 2012. Definitely not recently.

And this was really appreciated:

"In addition, to guard against possible scams, always be cautious about sharing personal information, such as Social Security numbers, passwords, user IDs and financial account information. Here are some tips that will help protect you:
- Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number."


Okay, obviously we made a big mistake sharing that information with YOU, Target!

It's really nice for them to chastise the customers as though WE inappropriately "shared" such information.

How, exactly, is one ever to do phone ordering, per Target's directive?
They seem to have forgotten to mention the critical bit about "if someone calls you" vs "if you call a known vendor". Big difference there.

We are trying to figure out how we managed to be on this list, if it was supposed to affect RECENT customers only.
Apparently not.


RM

Re: More from Target?

Posted: Thu Jan 16, 2014 7:51 pm
by Kerdaboy
Edit: My bad just saw the newest target email communication from 1-15-14

Re: More from Target?

Posted: Thu Jan 16, 2014 7:54 pm
by countdown
I think I shop at Target maybe 1-3 times per year for miscellaneous items. Unfortunately, it was around the Christmas season when the breach apparently occurred.

However, in fairness to Target, I didn't find their email insulting. I guess when we use anything but cash, it's a risk we assume, albeit small.

This is what I received today; a one-year credit monitoring subscription. This seems to be the remedy companies are providing their customers for these unacceptable breaches of security.


"Dear Target Guest,
As you may have heard or read, Target learned in mid-December that criminals forced their way into our systems and took guest information, including debit and credit card data. Late last week, as part of our ongoing investigation, we learned that additional information, including name, mailing address, phone number or email address, was also taken. I am writing to make you aware that your name, mailing address, phone number or email address may have been taken during the intrusion.
I am truly sorry this incident occurred and sincerely regret any inconvenience it may cause you. Because we value you as a guest and your trust is important to us, Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian’s® ProtectMyID® product which includes identity theft insurance where available. To receive your unique activation code for this service, please go to creditmonitoring.target.com and register before April 23, 2014. Activation codes must be redeemed by April 30, 2014.
In addition, to guard against possible scams, always be cautious about sharing personal information, such as Social Security numbers, passwords, user IDs and financial account information. Here are some tips that will help protect you:
Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number.
Delete texts immediately from numbers or names you don’t recognize.
Be wary of emails that ask for money or send you to suspicious websites. Don’t click links within emails you don’t recognize.
Target’s email communication regarding this incident will never ask you to provide personal or sensitive information.
Thank you for your patience and loyalty to Target. You can find additional information and FAQs about this incident at our Target.com/databreach website. If you have further questions, you may call us at 866-852-8680.
Gregg Steinhafel

Chairman, President and CEO"

Re: More from Target?

Posted: Thu Jan 16, 2014 8:01 pm
by sscritic
This has been covered in other threads, you know, the ones with Target (not date) in the title.

I got my email on Monday and posted. Today is Thursday. If you want to keep up, you have to keep up. The letter has been quoted before. In fact, as a tribute to the snip thread, I created a post this morning that had two complete copies, one being formatted much better than the other (it was also within a quote box as the letter was being quoted). I was hoping that someone would come along and quote my two complete letters post and add a third, but I didn't see it last I looked. :)

http://www.bogleheads.org/forum/viewtop ... 4#p1925174

Re: More from Target?

Posted: Thu Jan 16, 2014 8:03 pm
by ResearchMed
sscritic wrote:This has been covered in other threads, you know, the ones with Target (not date) in the title.

I got my email on Monday and posted. Today is Thursday. If you want to keep up, you have to keep up. The letter has been quoted before. In fact, as a tribute to the snip thread, I created a post this morning that had two complete copies, one being formatted much better than the other (it was also within a quote box as the letter was being quoted). I was hoping that someone would come along and quote my two complete letters post and add a third, but I didn't see it last I looked. :)

http://www.bogleheads.org/forum/viewtop ... 4#p1925174
I'm more concerned about the statements that the "breach" affected RECENT customers.

We haven't dealt with Target since 2012, in person, online, or by phone.

RM

Re: More from Target?

Posted: Thu Jan 16, 2014 8:37 pm
by sscritic
When you buy online, you need to create an account. I keep a record of mine. Target is not among them. I get emails advertising products from almost all of them (hint: do not use two email addresses, or at least do not give them both to the same company. I always enjoy my double dip of J. Crew every morning in my inbox). Target is not among the senders of emails to me.

So how did they even get my email address? How did they get yours? Think affiliates. Think of the privacy and sharing options that companies send you all the time.

In my case, I am guessing it is ancient history. I had a Mervyn's charge card. Don't you miss Mervyn's? I do.

P.S. I am older than dirt. 2012 is very recent.

Re: More from Target?

Posted: Thu Jan 16, 2014 8:43 pm
by sscritic
Even older:

I had a Dayton's charge card in 1970, but I didn't have an email address then. Now if they had sent me a snail mail letter to my student address in Minneapolis, I would have been really impressed with their outreach attempt.

Re: More from Target?

Posted: Thu Jan 16, 2014 8:45 pm
by tuningfork
ResearchMed wrote:I'm more concerned about the statements that the "breach" affected RECENT customers.

We haven't dealt with Target since 2012, in person, online, or by phone.

RM
The initial reports of the theft of card data affected customers who shopped at target during a recent period in Nov and Dec. Last week Target announced they had discovered a more widespread theft of personal data from their customer database that may have included any customers who shopped at Target online at any time in the past.

From http://money.cnn.com/2014/01/10/news/co ... t-hacking/
Target said the personal data stolen could affect its past shoppers -- not just those who have visited the store recently.

Re: More from Target?

Posted: Thu Jan 16, 2014 8:47 pm
by Caduceus
What is really weird is that the last time I shopped at Target was in 2010. The email was sent to an old email account that I haven't used for online purchases in a long while. Out of curiosity, I then pulled up all my credit card statements and went through them. Since I go to the same places and do all my necessary shopping at the same time, it didn't take long to confirm I haven't shopped at Target in nearly three years. (And of all things, for something that cost less than 5 dollars, probably floss ... !!!)

I don't have a Target debit card and I don't maintain an account with Target (actually I always shop if possible as a "guest" for precisely this reason ...). Also, I'm fairly certain (though not 100% sure) that I never revealed that email address in question to Target, so the whole thing is more than a little odd.

I've also always unsubscribed from affiliate marketing within one week of every credit card that I've received by calling the number provided. Maybe they didn't honor my preferences. So much for being a good citizen ...

In any case, my credit card companies have confirmed I am not on the list of compromised accounts that Target sent to the cc companies, even though I received the email. If you call them, they will tell you if you're on that list.

Re: More from Target?

Posted: Thu Jan 16, 2014 8:53 pm
by ResearchMed
tuningfork wrote:
ResearchMed wrote:I'm more concerned about the statements that the "breach" affected RECENT customers.

We haven't dealt with Target since 2012, in person, online, or by phone.

RM
The initial reports of the theft of card data affected customers who shopped at target during a recent period in Nov and Dec. Last week Target announced they had discovered a more widespread theft of personal data from their customer database that may have included any customers who shopped at Target online at any time in the past.

From http://money.cnn.com/2014/01/10/news/co ... t-hacking/
Target said the personal data stolen could affect its past shoppers -- not just those who have visited the store recently.
Thanks very much.

I missed that.
I guess I had (no offense to your screen name!) tuned out "anything Target", because I couldn't immediately remember dealing with them at all "recently", and certainly nowhere near this fall/winter.

I was starting to think about getting the type of charge card account that can generate "one time only use" card numbers [is that still available anywhere?], but I'm more concerned about the address-type information than "just" the card number. So that probably wouldn't help anyway.

If "they" (the hackers of various stripes) are getting into larger databases, it's no longer sounding much like having "chip cards" is going to be such a wonderful solution.

RM

Re: More from Target?

Posted: Thu Jan 16, 2014 9:08 pm
by goodenoughinvestor
Pet peeve--I loathe it when companies refer to customers as "guests" as Target does in this letter (and yes, I received the email this morning, though I don't think I've shopped at Target for a few years). It sounds so transparently manipulative and creepy. But I have to assume that most people don't agree with me--Target wouldn't be using the term unless they knew it increased sales. The word creates real dissonance in the Target letter because the bad guys are called flat-out "criminals"--no euphemism or nicety there. But shoppers are "guests."

Re: More from Target?

Posted: Thu Jan 16, 2014 9:10 pm
by peppers
sscritic wrote:When you buy online, you need to create an account. I keep a record of mine. Target is not among them. I get emails advertising products from almost all of them (hint: do not use two email addresses, or at least do not give them both to the same company. I always enjoy my double dip of J. Crew every morning in my inbox). Target is not among the senders of emails to me.

So how did they even get my email address? How did they get yours? Think affiliates. Think of the privacy and sharing options that companies send you all the time.

In my case, I am guessing it is ancient history. I had a Mervyn's charge card. Don't you miss Mervyn's? I do.

P.S. I am older than dirt. 2012 is very recent.
IIRC...the expression was... I'm as good as gold but older than dirt. :)

Re: More from Target?

Posted: Thu Jan 16, 2014 9:16 pm
by jebmke
sscritic wrote:When you buy online, you need to create an account. I keep a record of mine. Target is not among them. I get emails advertising products from almost all of them (hint: do not use two email addresses, or at least do not give them both to the same company. I always enjoy my double dip of J. Crew every morning in my inbox). Target is not among the senders of emails to me.

So how did they even get my email address? How did they get yours? Think affiliates. Think of the privacy and sharing options that companies send you all the time.

In my case, I am guessing it is ancient history. I had a Mervyn's charge card. Don't you miss Mervyn's? I do.

P.S. I am older than dirt. 2012 is very recent.
This may explain why they would appear to have the info on roughly one-third of the living people in the US. Even with the six degrees of separation from Target, it still doesn't seem possible. Did that many people shop at a Target or affiliate between November and December?

Re: More from Target?

Posted: Thu Jan 16, 2014 10:08 pm
by countdown
'This has been covered in other threads, you know, the ones with Target (not date) in the title.
I got my email on Monday and posted. Today is Thursday. If you want to keep up, you have to keep up. '
...

Sorry, sscritic, I didn't see the other thread(s). Got my email today and wasn't following it.
:happy

Re: More from Target?

Posted: Sat Jan 18, 2014 5:45 pm
by Mudpuppy
jebmke wrote:
sscritic wrote:When you buy online, you need to create an account. I keep a record of mine. Target is not among them. I get emails advertising products from almost all of them (hint: do not use two email addresses, or at least do not give them both to the same company. I always enjoy my double dip of J. Crew every morning in my inbox). Target is not among the senders of emails to me.

So how did they even get my email address? How did they get yours? Think affiliates. Think of the privacy and sharing options that companies send you all the time.

In my case, I am guessing it is ancient history. I had a Mervyn's charge card. Don't you miss Mervyn's? I do.

P.S. I am older than dirt. 2012 is very recent.
This may explain why they would appear to have the info on roughly one-third of the living people in the US. Even with the six degrees of separation from Target, it still doesn't seem possible. Did that many people shop at a Target or affiliate between November and December?
Welcome to the world of big data, where once your information enters a database, it never leaves....

In all seriousness, this is not too surprising. Marketing companies love to have access to this sort of data. Entire software companies exist to merge data from multiple sources and unify it into one massive database. There is no compelling reason to delete entries from that database, even when the entries are known to be out-of-date. Consider the amount of junk mail people receive for deceased people who have been deceased for years or even over a decade. If you ever put the information down on a form or told it to a cashier, just expect it to be out there. The cat is out of the bag.

Once you come to terms with your information being out there, it becomes a bit easier to not lose sleep over things like the Target breach. You focus more on things within your power, such as freezing your credit files to keep people from taking out new lines of credit in your name and reviewing your transactions for fraudulent ones.

Something like this will happen again (and I'm still convinced that Target was not the only retailer hit, just the first retailer to come public), so there's no use worrying about how the information got out there. Focus on containing the consequences of the information being out there instead.

.....

Posted: Sat Jan 18, 2014 5:52 pm
by pinecrest
.....

Re: More from Target?

Posted: Sat Jan 18, 2014 5:58 pm
by jebmke
pinecrest wrote:
Mudpuppy wrote:
Welcome to the world of big data, where once your information enters a database, it never leaves....
Cue Hotel California...
I thought it was the Roach Motel.

Re: More from Target?

Posted: Sat Jan 18, 2014 6:01 pm
by VictoriaF
jebmke wrote:
pinecrest wrote:
Mudpuppy wrote:
Welcome to the world of big data, where once your information enters a database, it never leaves....
Cue Hotel California...
I thought it was the Roach Motel.
Nowadays, roaches are replaced by viruses and worms.

Victoria

Re: More from Target?

Posted: Sat Jan 18, 2014 6:01 pm
by jebmke
Mudpuppy wrote:Something like this will happen again (and I'm still convinced that Target was not the only retailer hit, just the first retailer to come public), so there's no use worrying about how the information got out there. Focus on containing the consequences of the information being out there instead.
I agree. This will continue. I think one has to change from the castle and moat view of the world. You should assume that a system or network can be compromised.

Re: More from Target?

Posted: Sat Jan 18, 2014 6:08 pm
by nisiprius
Mudpuppy wrote:...I'm still convinced that Target was not the only retailer hit, just the first retailer to come public...
+1

http://baltimore.cbslocal.com/2014/01/1 ... ta-breach/

"Hackers have now hit Neiman Marcus and at least three other stores... Reuters reports three more well-known retailers have also been breached. Sources declined to name the stores..."

Re: More from Target?

Posted: Sat Jan 18, 2014 6:34 pm
by ab80
countdown wrote:However, in fairness to Target, I didn't find their email insulting. I guess when we use anything but cash, it's a risk we assume, albeit small.
(Didn't read the whole thread yet.) Whenever I go there and pay with cash, they give me a weird look and use one of those counterfeit money detector pens, even for a small transaction of $40 or $60. Sad world. Could just be the local target where I live, but it doesn't send a very welcoming message.

Re: More from Target?

Posted: Sat Jan 18, 2014 6:39 pm
by Mudpuppy
nisiprius wrote:
Mudpuppy wrote:...I'm still convinced that Target was not the only retailer hit, just the first retailer to come public...
+1

http://baltimore.cbslocal.com/2014/01/1 ... ta-breach/

"Hackers have now hit Neiman Marcus and at least three other stores... Reuters reports three more well-known retailers have also been breached. Sources declined to name the stores..."
I should put this out there too. As someone in the security field, I am actually proud of how quickly Target went public with the attack. Usually, corporations have to be dragged kicking and screaming into revealing a compromise. In the case of a compromise that results in regulatory disclosure of the attack (e.g. "your information may have been stolen" letters to customers), most corporations put off the disclosure as long as possible citing ongoing investigations. It might be months down the road before the corporation actually sends out notification about the compromise.

That Target is revealing things during the investigation and so close to discovering the breach is rather refreshing. I don't know if that is reflective of a choice made by Target corporate or if Brian Krebs was given too big of a scoop and Target decided to go public rather than be evasive, but in either case, it's unusual and should be applauded. Instead, people are running away from their stores and visiting other stores that could very well be victims of the same attack (or similar attacks), but are just putting off disclosure until the last possible moment to "save face". *sigh*

Re: More from Target?

Posted: Sat Jan 18, 2014 6:51 pm
by sscritic
Mudpuppy wrote: people are running away from their stores and visiting other stores that could very well be victims of the same attack (or similar attacks), but are just putting off disclosure until the last possible moment to "save face". *sigh*
And just because I can and because yesterday was the 20th anniversary of the Northridge earthquake, I want to mention all those people who ran away from Northridge after the earthquake. I stayed, figuring I was safe for another 50 if not 100 years. I believe Target is going to be a safer place to shop than many others, just because of this event.

P.S. I know I was being irrational and that earthquakes probably follow a Poisson process, but stay I did.

Re: More from Target?

Posted: Sat Jan 18, 2014 8:38 pm
by jbreittling
I would like to sue Target. I received a new credit card from Discover where they stated that my information was apparently part of the stolen data. Like many, I haven't used my Discover card at Target during the supposed timeframe when the data was stolen.

Re: More from Target?

Posted: Sat Jan 18, 2014 9:29 pm
by JMacDonald
Here is an interesting article about Target: http://www.nytimes.com/2014/01/18/busin ... iness&_r=0
A Sneaky Path Into Target Customers’ Wallets
Target had no clue until the Secret Service alerted the company about two weeks before Christmas.
I received my email from Target, and I have not done any shopping there for months. I am going to put a freeze on my credit.

Re: More from Target?

Posted: Sat Jan 18, 2014 10:01 pm
by AllySK
I got the same email from Target, and wondered how they got my email address. Searched through my inbox, and it looks like I bought something from Target.com in 2009. Ha.

Re: More from Target?

Posted: Sun Jan 19, 2014 1:07 am
by python99
The ultimate irony is that Target lost its customers data, so they want to try to make it right....with one year of credit & identity watch...sounds good..we then send you to a sign up sight that requests you to provide "..Name, address, date of birth and Social Security number which are required.

Sure you just lost my debit/credit card and pin along with my email addresses and who knows what else....and now you want me to provide you (over the web no less) my Name, address, date of birth and Social Security number.......good luck with that one.

Re: More from Target?

Posted: Sun Jan 19, 2014 5:19 am
by peppers
Interested in more but not Target?

We were notified in late 2013 that an office/outpatient facility of a major hospital, Chicago area, was broken into and several computers were stolen. Individual letters came addressed to myself, my wife and to each of our four children. They offered the free credit monitoring report for a year.

Thing is, it's been over 10 years since any of our children used this facility.

Re: More from Target?

Posted: Sun Jan 19, 2014 2:46 pm
by placeholder
jbreittling wrote:I would like to sue Target. I received a new credit card from Discover where they stated that my information was apparently part of the stolen data. Like many, I haven't used my Discover card at Target during the supposed timeframe when the data was stolen.
So what are your damages?

Re: More from Target?

Posted: Sun Jan 19, 2014 2:50 pm
by Caduceus
[Why can't I delete this post? Weird]

Re: More from Target?

Posted: Sun Jan 19, 2014 2:53 pm
by sscritic
placeholder wrote: So what are your damages?
I had to open an email. That must be worth about 1 mill.

Re: More from Target?

Posted: Sun Jan 19, 2014 2:59 pm
by Caduceus
Just out of curiosity ... how does one assign liability for identity theft anyway? Let's say that 10 years later as a result of some corporation's breach, someone's identity gets stolen ... but in the meantime, four different companies suffer similar breaches ... who is responsible for the damage then? It would be hard to pinpoint a single event as the cause of the theft.

Re: More from Target?

Posted: Sun Jan 19, 2014 3:06 pm
by sscritic
Caduceus wrote:Just out of curiosity ... how does one assign liability for identity theft anyway?
I would assign it to the person who stole my identity. That's what the police and courts do.

Here is the Department of Justice. Look for the word criminals.
Many people do not realize how easily criminals can obtain our personal data without having to break into our homes. In public places, for example, criminals may engage in "shoulder surfing" ­ watching you from a nearby location as you punch in your telephone calling card number or credit card number ­ or listen in on your conversation if you give your credit-card number over the telephone to a hotel or rental car company.

Even the area near your home or office may not be secure. Some criminals engage in "dumpster diving" ­ going through your garbage cans or a communal dumpster or trash bin -- to obtain copies of your checks, credit card or bank statements, or other records that typically bear your name, address, and even your telephone number. These types of records make it easier for criminals to get control over accounts in your name and assume your identity.

Re: More from Target?

Posted: Sun Jan 19, 2014 3:22 pm
by Mudpuppy
Caduceus wrote:[Why can't I delete this post? Weird]
Someone posted too quickly after you. Once there's a post after you, you cannot delete. You can only edit then.