Target Corporation’s data breach touched millions. What does that mean to those affected, and what recourse do we have.
To say Target Corporation has been in the news is a world-class understatement, and especially disconcerting for those of us who live in Minnesota. Odds are pretty good that everyone living here has a family member, relative, or knows someone who works for Target. When Target has issues, the people of Minnesota have issues.
As an IT professional who writes about information security, and lives in the heart of Target-land; I have a particularly “up close and personal” connection. Many times, when I contracted as a network engineer, I remember getting lost in Target’s cavernous multi-floor data centers. I also remember having to go through a serious shakedown to get into each of the data centers. There was one data center in particular, where a certain security guard took great pleasure pointing out that the guy pictured in my driver’s license had hair.
What happened to Target looks bad. I first learned about the data breach from my friend Brian Krebs, he broke the story on his security blog site Krebs on Security the 18th of December. Hisfollow-up on December 20th provides a lot more detail. The bottom line is 40 million people who used their credit or debit card to make purchases at a Target store between November 27th and December 15th had their card information stolen.
There’s a great deal of speculation as to how the data breach occurred, but that’s all it is at this point—speculation. And to be honest, that’s not my concern. What does concern me are the people potentially affected by the data breach. What are they thinking? It didn’t take long for me to find out.
Friends and people who know I write about information security started to call, asking what I was going to do.
When I told all who contacted me, I wasn’t that concerned. But, I was checking my accounts every morning online. They couldn’t believe that was it. They kept asking what about identity theft. They know our names; can’t they change passwords, and so on. Being immersed in information security, I had a good idea as to what happened, and how to protect my assets. But, it was a bad assumption on my part to assume others did as well. I’d like to fix that.
What did the thieves get?
First, let’s take a look at what the thieves got their hands on. It appears the only information stolen was data stored on the magnetic strip—not the account PIN, and not the three-digit security code on the back of the card. Here’s what the crooks did get from the magnetic strip:
- Card-holder’s name (There appears to be some confusion as to whether the card-holder’s name is on the magnetic strip or not. I called a few banks and received differing opinions.)
- Credit or debit account number
- Expiration date
- Card-present CVV (Another security code located on the magnetic strip.)
What kind of cards?
People are concerned as to what types of cards the thieves stole information from. The following are involved:
- All forms of credit card
- All forms of debit card
- Target’s Redcard
If people are unable to monitor their accounts online, a banker mentioned they should call the customer service number on the back of the card, and share their concerns. This can become important as most issuing banks have a time limit on reporting discrepancies, and the next statement date may be outside that time window.
Another option is “account change alerts.” Banks offer a service that sends automated calls, texts, or email alerts if more than a designated amount is charged or withdrawn from an account. If the person notified didn’t conclude any transactions; they know to call customer service as soon as possible.
Debit cards being directly associated to a person’s accounts are more of a concern when digital crooks steal the information from them. What happens when the crooks try to use the debit card information is very dependent on the bank. So, call the issuing bank’s customer service to be safe and learn what they recommend.
Could my identity be stolen?
Yes, it could. I hate saying that, but there is a slight, very slight chance in a “perfect storm” sort of way that it could. To steal a person’s identity requires more information than what is provided on the credit or debit card. Why experts must say yes is to cover the possibility bad guys may have the required additional information, and are able to make the association (perfect storm). Not likely, but possible.
For the super-concerned
If you prefer not to worry about this at all, or you are planning on a trip in near future; it might be best to have the issuing bank cancel the existing account and open a new one. Worries gone. I included travelers because banks are watching customer accounts like never before. If anything looks out of place, they will lock the account in no time flat. And, I assure you traveling is not the time to have that happen.