Target Breach, Updated

[Rupert]

So now Target says that the names, mailing addresses, and email addresses of approximately 70 million customers may have been stolen during their recent data breach. I seriously doubt that 70 million adult Americans (approximately 1 in 3 of all Americans over age 18) shopped at Target during the 2- to 3-week period they initially said was involved, which means that the thieves likely accessed Target databases in addition to those storing POS information. I fear that means gift registries, mailing lists, and pharmacy records. Can anyone here confirm that this must be true? Am I correct that this sort of personal information is not stored in the magnetic strip data on credit/debit cards and must have come from some other source? Should we all be monitoring credit reports now, in addition to credit/debit card transactions?

[nordlead]

names, mailing addresses, and email addresses are not stored on the magnetic strip of a CC or Debit card.

Personally, I don't care if someone stole my mailing or email address. They are pretty close to public information. I bet I can pick any house in my neighborhood and find the name of the owner within minutes, and worst case I just check their mailbox I then bet I can find their phone number.

You may want to change the password on your e-mail especially if it matched the password on your target account (assuming you have one).

[jebmke]

Maybe they should remove the bulls eye from their imaging.

[Rupert]

Just fyi for those of you who have ever shopped at Target but not during December and so thought you were safe: The New York Times reports, "This additional trove of data involves all kinds of customer information that Target had collected over time.Those customers need not have even shopped at Target during the holiday period to have had their information stolen." The new number of possible victims is 70 million to 110 million customers and former customers. Mind boggling.

[new2bogle]

Just fyi for those of you who have ever shopped at Target but not during December and so thought you were safe: The New York Times reports, "This additional trove of data involves all kinds of customer information that Target had collected over time.Those customers need not have even shopped at Target during the holiday period to have had their information stolen." The new number of possible victims is 70 million to 110 million customers and former customers. Mind boggling.

Thanks for the update.

I want to point out that Fidelity pro-actively sent out new CC that we had previously used at Target. I was impressed by that.

[bertilak]

I bet I can pick any house in my neighborhood and find the name of the owner within minutes, and worst case I just check their mailbox I then bet I can find their phone number.

Tax records, including billing name and address, are public records, at least where I live. Our county has a public web page for that info. Phone numbers often can be found one one of those internet sites whose purpose is to look up phone numbers, like http://www.whitepages.com/.

[nordlead]

I bet I can pick any house in my neighborhood and find the name of the owner within minutes, and worst case I just check their mailbox I then bet I can find their phone number.

Tax records, including billing name and address, are public records, at least where I live. Our county has a public web page for that info. Phone numbers often can be found one one of those internet sites whose purpose is to look up phone numbers, like http://www.whitepages.com/.

yea, when I said I could use the mailbox I was thinking renters, but of course they wouldn't be the owners which is what I said

[Rainier]

Not gift registries!!!

The only stuff left on mine is junk, and I don't need any more hand towels. I just don't have the space for them.

[Rupert]

I bet I can pick any house in my neighborhood and find the name of the owner within minutes, and worst case I just check their mailbox I then bet I can find their phone number.

Tax records, including billing name and address, are public records, at least where I live. Our county has a public web page for that info. Phone numbers often can be found one one of those internet sites whose purpose is to look up phone numbers, like http://www.whitepages.com/.

Yeah, but my credit card number can't be found in the phone book, and my credit card number is a lot more valuable to the thieves if it comes with personal identifiers. It allows the thieves to sell my account number to other thieves in my community, as opposed to someone in another part of the world. My credit card company's risk machine (or whatever they call the program that scans all transactions for fraud) is less likely to flag a transaction as fraudulent if the transaction occurs in my town, at a place I might regularly shop. That's why some card numbers from the Target breach are selling for over $100 online. That's why some card issuers are prophylactically issuing new cards.

[fsrph]

Just fyi for those of you who have ever shopped at Target but not during December and so thought you were safe: The New York Times reports, "This additional trove of data involves all kinds of customer information that Target had collected over time.Those customers need not have even shopped at Target during the holiday period to have had their information stolen." The new number of possible victims is 70 million to 110 million customers and former customers. Mind boggling.

Thanks for the update.

I want to point out that Fidelity pro-actively sent out new CC that we had previously used at Target. I was impressed by that.

I shopped at Target during the security breach period. No unusual charges on my cc, I have been checking daily. However, PenFed was proactive also and sent me a new card which included a chip.

Francis

[nordlead]

again, I'm not liable for the purchase.

The CC fraud alert program has never successfully worked in my experience. Flagging it as fraud if I travel for vacation or work. Flagging a trip to walmart followed by a trip to target (across the street in my town). Flagging large purchases for automobile parts (in my town). But when someone buys $500 of shoes online (at a shoe shop, so that must be what they bought) despite me never buying shoes online, the system lets it through no problem.

So, it doesn't matter if the purchase is local or not if you can't be bothered to check your CC statement for fraud.

[jpsfranks]

I was pretty sure that the breach was larger than they had initially reported. I have a Chase credit card that I have used only 4 times, and haven't used in six months. One of those four purchases was at Target in December of 2012. In December of 2013 Chase alerted me to a suspicious charge and issued me a new credit card.

[JupiterJones]

Target will be providing free credit monitoring and identity theft protection (including a free credit report) to "affected guests":

https://corporate.target.com/discover/a ... o-all-gues

I'm assuming they'll somehow contact you if you're an "affected guest". We'll see...

[ryuns]

Just fyi for those of you who have ever shopped at Target but not during December and so thought you were safe: The New York Times reports, "This additional trove of data involves all kinds of customer information that Target had collected over time.Those customers need not have even shopped at Target during the holiday period to have had their information stolen." The new number of possible victims is 70 million to 110 million customers and former customers. Mind boggling.

Thanks for the update.

I want to point out that Fidelity pro-actively sent out new CC that we had previously used at Target. I was impressed by that.

I shopped at Target during the security breach period. No unusual charges on my cc, I have been checking daily. However, PenFed was proactive also and sent me a new card which included a chip.

Francis

Are you saying they sent out a new card with a new number? If that's the case, I'd be more annoyed than relieved. Such a pain to switch everything to a new number.

[fsrph]

Just fyi for those of you who have ever shopped at Target but not during December and so thought you were safe: The New York Times reports, "This additional trove of data involves all kinds of customer information that Target had collected over time.Those customers need not have even shopped at Target during the holiday period to have had their information stolen." The new number of possible victims is 70 million to 110 million customers and former customers. Mind boggling.

Thanks for the update.

I want to point out that Fidelity pro-actively sent out new CC that we had previously used at Target. I was impressed by that.

I shopped at Target during the security breach period. No unusual charges on my cc, I have been checking daily. However, PenFed was proactive also and sent me a new card which included a chip.

Francis

Are you saying they sent out a new card with a new number? If that's the case, I'd be more annoyed than relieved. Such a pain to switch everything to a new number.

Yes, new card with new number. I have a couple of accounts to change, nothing major. Since there were no unauthorized charges on my account, I wonder if my cc company knows more about how large this breach really was. Maybe it's just my mind wandering but every time Target releases news it gets worse.

Francid

[Imbros]

So now Target says that the names, mailing addresses, and email addresses of approximately 70 million customers may have been stolen during their recent data breach. I seriously doubt that 70 million adult Americans (approximately 1 in 3 of all Americans over age 18) shopped at Target during the 2- to 3-week period they initially said was involved, which means that the thieves likely accessed Target databases in addition to those storing POS information. I fear that means gift registries, mailing lists, and pharmacy records. Can anyone here confirm that this must be true? Am I correct that this sort of personal information is not stored in the magnetic strip data on credit/debit cards and must have come from some other source? Should we all be monitoring credit reports now, in addition to credit/debit card transactions?

No one will confirm that this must be true at this point (I work in the industry). All we know so far is that they have the cardholder address for compromised cards, which is something not stored in Mag Stripe. So we already knew that this is not a simple skimming event. The unofficial card count we compiled from Visa, MC and other network data is far smaller than 70 million so far, but it will likely go up.

[ray.james]

I used both my credit cards at target during that period. I am watching vigilantly. I have decided to use a new email service not linked to gmail for my investment and bank accounts.

Just to add this to thread, the hackers did get the PIN numbers along with card numbers and expiration dates. However the PIN's are encrypted. I read on Ars technica that target encrypted using latest algorithms but because of the size of PIN's( 4 characters) and amount of Pin numbers available they will be able to crack them soon.

It is surprising that target admins/network guys did not have any checks in place to automatically alert to their IT when someone is accessing GB's of data on their main databases.

[likegarden]

During those 3 weeks we bought for $5 at Target LOL, but cancelled our Capital One credit card number anyway and got a new card and number. We never had a Target card, so we should be safe. Now there are 110 million sets of data involved. Capital One already checked up on us because we bought something out of the ordinary. and since I did not know that my wife bought for $39 at CVS they stopped the credit card for one day until I explained. They seem to be very cautious, might be losses for banks.

[Mudpuppy]

I suspect this will end up being much bigger than just Target by the time all is said and done. Brian Krebs is reporting a breach at Neiman Marcus in December as well:

http://krebsonsecurity.com/2014/01/hack ... an-marcus/

This might just be the tip of the iceberg. At the very least, what happened at Target is likely not unique to Target. Many other major merchants have weak links in their chains that could be similarly exploited. There is no absolute security.

[tadamsmar]

Target's page on the matter:

https://corporate.target.com/discover/a ... erm=breach

Their FAQ:

https://corporate.target.com/about/shop ... -issue-FAQ

Says you will not be responsible for fraudulent charges, but the regs require your timely reporting fraud within a month or so, so not sure if they are providing something more.

They are still investigating, so I am sure there is more to come. You might get mail from your CC company or a call as some point.

[sscritic]

I got an email offering one year of credit monitoring by Experian® ProtectMyID®. I signed up. Watch out for the sales pitches: you do want to pay for your credit score, of course. Not.

[jebmke]

his might just be the tip of the iceberg. At the very least, what happened at Target is likely not unique to Target. Many other major merchants have weak links in their chains that could be similarly exploited. There is no absolute security.

The CEO of Target was on PBS last night. About all he said was [paraphrase] "there was malware and we removed it." I'm guessing that they won't say what they are doing to harden their systems. I wonder how likely it is that anything substantive has been done yet.

[Diogenes]

Really no sense getting all excited about this intrusion at Target. At any given time there are many of these events going on at other companies in the U.S.
The hackers of the world know it is easy to steal money targeting American companies. Perhaps for the same reason as why prolific bank robber Willy Sutton (also interestingly known as "slick Willie") was asked why he robbed banks. His response "that's where the money is."

We should be concerned about the intrusions we don't see in the papers, and of course take steps to protect ourselves as a matter of course.

The real story here is all the lawyers who are likely hoping to make car payments from some lame class action suit against the other victim - Target. That is turn would of course ultimately be paid by the same consumers who had their information stolen.

[Rupert]

Really no sense getting all excited about this intrusion at Target. At any given time there are many of these events going on at other companies in the U.S.
The hackers of the world know it is easy to steal money targeting American companies. Perhaps for the same reason as why prolific bank robber Willy Sutton (also interestingly known as "slick Willie") was asked why he robbed banks. His response "that's where the money is."

We should be concerned about the intrusions we don't see in the papers, and of course take steps to protect ourselves as a matter of course.

The real story here is all the lawyers who are likely hoping to make car payments from some lame class action suit against the other victim - Target. That is turn would of course ultimately be paid by the same consumers who had their information stolen.

I wasn't excited when I thought they only had my credit card number. The possibility that pharmacy records were breached is a much bigger concern. Without knowing which databases were breached, it's kind of hard to know how excited to get, isn't it?

[Cuzz35]

Just fyi for those of you who have ever shopped at Target but not during December and so thought you were safe: The New York Times reports, "This additional trove of data involves all kinds of customer information that Target had collected over time.Those customers need not have even shopped at Target during the holiday period to have had their information stolen." The new number of possible victims is 70 million to 110 million customers and former customers. Mind boggling.

My wife had not used her debit card at Target in months and was alerted by her bank that her card was charged at a Target store on the other side of the country for several hundred dollars last week. The bank had immediately cancelled her card and sent a new one.

[castlemodesto]

I have started a new thread " Free Target Credit Monitoring"
http://www.bogleheads.org/forum/viewtop ... st=1923179
because it seems a great many Bogleheads would be eligible for this, and the article I have referenced
http://www.financialramblings.com/archi ... rget-hack/
gives detailed information about how to go about it.

[goodbishop]

So now Target says that the names, mailing addresses, and email addresses of approximately 70 million customers may have been stolen during their recent data breach. I seriously doubt that 70 million adult Americans (approximately 1 in 3 of all Americans over age 18) shopped at Target during the 2- to 3-week period they initially said was involved, which means that the thieves likely accessed Target databases in addition to those storing POS information. I fear that means gift registries, mailing lists, and pharmacy records. Can anyone here confirm that this must be true? Am I correct that this sort of personal information is not stored in the magnetic strip data on credit/debit cards and must have come from some other source? Should we all be monitoring credit reports now, in addition to credit/debit card transactions?

Right. From what it sounds like, there were two separate attacks - one with RAM scraping malware on the POS systems, and the other one was where they accessed the records of 70 million customers. I wonder how they got the second piece - insider threat is likely.

For the personal information, just the name is stored on the Track 1 data on the credit card. https://www.pcisecuritystandards.org/do ... ss_v20.pdf , page 9.

I'm going to be discussing this tomorrow and how to defeat RAM scraping malware.

And yes, you should be monitoring credit reports - looks like Target is sending it to everyone who signs up, per the other links in this thread.

Source - I'm a IT security manager/credit card security expert/I live and breathe this stuff

[Ged]

It is surprising that target admins/network guys did not have any checks in place to automatically alert to their IT when someone is accessing GB's of data on their main databases.

Quis custodiet ipsos custodes?

My experience with large enterprise software is that security against exploitation by insiders is largely non-existent.

Google is now scrambling to encrypt their internal networks because of some of the Snowden stuff. And they are one of the most sophisticated companies.

[pinecrest]

.....

[soccerdad12]

I received this email from Target yesterday:

Dear Target Guest,
As you may have heard or read, Target learned in mid-December that criminals forced their way into our systems and took guest information, including debit and credit card data. Late last week, as part of our ongoing investigation, we learned that additional information, including name, mailing address, phone number or email address, was also taken. I am writing to make you aware that your name, mailing address, phone number or email address may have been taken during the intrusion.
I am truly sorry this incident occurred and sincerely regret any inconvenience it may cause you. Because we value you as a guest and your trust is important to us, Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian’s® ProtectMyID® product which includes identity theft insurance where available. To receive your unique activation code for this service, please go to creditmonitoring.target.com and register before April 23, 2014. Activation codes must be redeemed by April 30, 2014.
In addition, to guard against possible scams, always be cautious about sharing personal information, such as Social Security numbers, passwords, user IDs and financial account information. Here are some tips that will help protect you:
• Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number.
• Delete texts immediately from numbers or names you don’t recognize.
• Be wary of emails that ask for money or send you to suspicious websites. Don’t click links within emails you don’t recognize.
Target’s email communication regarding this incident will never ask you to provide personal or sensitive information.
Thank you for your patience and loyalty to Target. You can find additional information and FAQs about this incident at our Target.com/databreach website. If you have further questions, you may call us at 866-852-8680.
Gregg Steinhafel


Chairman, President and CEO


PS. I am not going to sign up for credit monitoring. Although there was no suspicious charges on my cards, I cancelled my debit and credit cards and placed a credit freeze on my name at the 3 credit agencies. It was free to do and took about 5 minutes. Pretty sure I am safe at this point.

[sscritic]

I received this email from Target yesterday:

Dear Target Guest,
As you may have heard or read, Target learned in mid-December that criminals forced their way into our systems and took guest information, including debit and credit card data. Late last week, as part of our ongoing investigation, we learned that additional information, including name, mailing address, phone number or email address, was also taken. I am writing to make you aware that your name, mailing address, phone number or email address may have been taken during the intrusion.
I am truly sorry this incident occurred and sincerely regret any inconvenience it may cause you. Because we value you as a guest and your trust is important to us, Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian’s® ProtectMyID® product which includes identity theft insurance where available. To receive your unique activation code for this service, please go to creditmonitoring.target.com and register before April 23, 2014. Activation codes must be redeemed by April 30, 2014.
In addition, to guard against possible scams, always be cautious about sharing personal information, such as Social Security numbers, passwords, user IDs and financial account information. Here are some tips that will help protect you:
• Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number.
• Delete texts immediately from numbers or names you don’t recognize.
• Be wary of emails that ask for money or send you to suspicious websites. Don’t click links within emails you don’t recognize.
Target’s email communication regarding this incident will never ask you to provide personal or sensitive information.
Thank you for your patience and loyalty to Target. You can find additional information and FAQs about this incident at our Target.com/databreach website. If you have further questions, you may call us at 866-852-8680.
Gregg Steinhafel


Chairman, President and CEO


PS. I am not going to sign up for credit monitoring. Although there was no suspicious charges on my cards, I cancelled my debit and credit cards and placed a credit freeze on my name at the 3 credit agencies. It was free to do and took about 5 minutes. Pretty sure I am safe at this point.

I got this email on Monday.

Dear Target Guest,

As you may have heard or read, Target learned in mid-December that criminals forced their way into our systems and took guest information, including debit and credit card data. Late last week, as part of our ongoing investigation, we learned that additional information, including name, mailing address, phone number or email address, was also taken. I am writing to make you aware that your name, mailing address, phone number or email address may have been taken during the intrusion.

I am truly sorry this incident occurred and sincerely regret any inconvenience it may cause you. Because we value you as a guest and your trust is important to us, Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian’s® ProtectMyID® product which includes identity theft insurance where available. To receive your unique activation code for this service, please go to creditmonitoring.target.com and register before April 23, 2014. Activation codes must be redeemed by April 30, 2014.

In addition, to guard against possible scams, always be cautious about sharing personal information, such as Social Security numbers, passwords, user IDs and financial account information. Here are some tips that will help protect you:

• • Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number.
  • Delete texts immediately from numbers or names you don’t recognize.
  • Be wary of emails that ask for money or send you to suspicious websites. Don’t click links within emails you don’t recognize.

Target’s email communication regarding this incident will never ask you to provide personal or sensitive information.

Thank you for your patience and loyalty to Target. You can find additional information and FAQs about this incident at our Target.com website. If you have further questions, you may call us at 866-852-8680.


Gregg Steinhafel

Chairman, President and CEO

I did sign up for credit monitoring on Monday, the same day I got the email. I did not freeze anything.

[frugaltype]

I had the dim memory of having bought something at Target years ago. I got one of their emails just now. I looked in my old-bought-stuff email file and I had bought something in 2009. It's possible but not likely that I bought something in their fairly far away from me "local" store, but not recently.

I'd be upset if they had my SS number, but apparently, who knows, they don't.

I used free credit monitoring when someone walked off with a laptop with employees' information from my old employer. They only alerted once, and then would not identify the suspicious event! What the heck was that about. I did not find anything suspicious going on.

I don't think I still have the credit card numbers I had in 2009. So my plan is to just watch my statements.

Oddly, in the past few months, someone tried to open a credit card account with Chase with all my info but a wrong SS. I found this out when Chase mailed me some form to sign. Perhaps that's where this oddity originated. Why would crooks think a wrong SS number would work?

[oaksavannah]

A fraudulent charge on the Target card showed up today. Called Target and they cancelled my card and will be sending a new one. I also signed up for the monitoring service. I don't understand how the stealing and selling of credit cards works, do you? Some Russian hacker stole my Target card information. Sold it on the black market for, say $10.00. Then the purchaser makes a fraudulent charge showing I made a $247.00 purchase at a pharmacy in No. Virginia. I could understand purchasing an expensive item that could then be re-sold, but what is a thief going to do with pharmacy merchandise?

[sscritic]

I could understand purchasing an expensive item that could then be re-sold, but what is a thief going to do with pharmacy merchandise?

Make meth.

Edit: I think the correct term is cook meth. We need to be precise when talking about finances.

[countdown]

So the news yesterday was that a 17 year old kid was responsible for this breach of security? Amazing, if true.

[Epsilon Delta]

I could understand purchasing an expensive item that could then be re-sold, but what is a thief going to do with pharmacy merchandise?

Make meth.

Edit: I think the correct term is cook meth. We need to be precise when talking about finances.

Or diapers or laundry detergent or ... .

If it's worth the pharmacies time to buy at wholesale and resell it at retail it's worth the crooks time to steal it for $10 sell it at half retail.

[Ged]

what is a thief going to do with pharmacy merchandise?

Sell it on the street.

http://money.cnn.com/2011/06/01/news/ec ... rug_abuse/

[hudson]

If my credit is frozen at all 3 credit agencies, and I regularly check and reconcile my accounts, what good would it do to go for Target's offer of free credit monitoring?

[Mudpuppy]

So the news yesterday was that a 17 year old kid was responsible for this breach of security? Amazing, if true.

It is one security firm saying that the 17 year old is responsible for writing the malware installed on the point-of-sale systems. There has not been independent confirmation that the 17 year old is the author of the code. It also does not mean that the 17 year old actually did the attack. Writing the code and deploying the code are often two separate things, particularly for something as wide-spread as this is. Not that the media will accurately tell you this, but the media can't even spell the name of the CEO of the security firm right, so that has to tell you something.

In short, the 17 year old may have been part of the team that executed this attack, but I sincerely doubt it was entirely the work of the 17 year old.

[sscritic]

If my credit is frozen at all 3 credit agencies, and I regularly check and reconcile my accounts, what good would it do to go for Target's offer of free credit monitoring?

Enquiring minds what to know, are you related to the Hudsons of Hudson's Department Store and Dayton-Hudson? (This story is about Target after all)

In 2000, Dayton–Hudson was renamed Target Corporation

http://en.wikipedia.org/wiki/Hudson's
http://en.wikipedia.org/wiki/Dayton's

[hudson]

sscritic, Ha! not me...but interesting story about how Target began.
My grandmother told me I was named after a missionary to China...Hudson Taylor.

[reisner]

Target's offer of a free year of Experian credit monitoring requires me to enter my SS number. I see that SScritic signed up, but I'm suspicious. Should I be?

[ResearchMed]

Target's offer of a free year of Experian credit monitoring requires me to enter my SS number. I see that SScritic signed up, but I'm suspicious. Should I be?

I'm not at all sure if you should be suspicious that sscritic signed up, but better safe than sorry!

RM

[sscritic]

I would be suspicious of anything sscritic does. He even signed up for the free credit reports you can get by law from the three crediting agencies. A real fool, he even gave his real name and a bunch of other information to the credit bureaus because he really didn't want to get ResearchMed's credit report, but his own.

To be safe, never get your credit report, free or otherwise. Don't forget, ignorance of identity theft is bliss.

[reisner]

Ah, the bliss of ignorance! But I found the idea of giving out personal information in order to protect personal information a bit curious in the current circumstances. Especially given that Experian does not have an unblemished security record:

http://krebsonsecurity.com/2013/10/expe ... t-service/

[JMacDonald]

I just got the infamous email from Target about my name, etc. I decided to freeze my credit as I don't see any need for anyone checking my credit in the future.
Interesting Equifax charged me $5.00 while the other two companies did it for free.

[Ged]

I would be suspicious of anything sscritic does.

I'm not suspicious of the things sscritic does, rather I'm suspicious of the things he writes.

It's just not natural to be that old and still be using the internet.

[reisner]

About freezing your credit--that seems like the thing to do right now. Do husband and wife have to do so separately?

[JMacDonald]

About freezing your credit--that seems like the thing to do right now. Do husband and wife have to do so separately?

Yes, if you live in California. I don't know about other states.
http://oag.ca.gov/idtheft/facts/freeze-your-credit

Does my spouse's file have to be frozen, too?
Yes, because of community property laws. Both spouses have to freeze their separate credit files, via separate requests, in order to get the benefit. That means the total cost for freezing for consumers under 65 years of age is $10 x 3 credit bureaus x 2 people = $60. For consumers 65 years of age or older, the total cost for freezing is $5 x 3 credit bureaus x 2 people = $30.

[Caduceus]

If I may ask ... why is freezing credit necessary? If all the thieves got were credit card numbers and personal info (without the SSN), then wouldn't it be OK just to cancel the cards and get new ones? Can they do anything else without the SSN?

Thanks.