Target confirmed earlier today that the Black Friday credit card data breach included the names, addresses, phone numbers and email addresses of up to 70 million individuals, nearly doubling the number of affected customers. Target also confirmed that this news is not indicative of a second data breach, but are part of the same one already under investigation.
The key takeaway from today's revelation is that customers whose credit card info was stolen might have had personal info stolen as well - and that means that, in some cases, the thieves may have enough information to cross over from credit card fraud into full-blown identity theft.
Avivah Litan, a fraud analyst at technology research company Gartner, spoke of that possibility to NBC News. "They steal and combine what was stolen in previous breaches. There are warehouses of information on people and dossiers. Now we've got John's credit card, his address, his phone number... they do put it together and sell entire profiles on people."
Target also notes that much of the stolen data is incomplete, and that they will be reaching out to affected customers when an email address is available, but made no mention of any plans to contact others by mail. You can be certain that other thieves have already begun crafting their own phishing scams designed to look like email from Target. “If you see an email that asks you to click a link to a site and provide sensitive information, stop and don't click or provide any data,” said Brian Krebs, the founder of Krebs on Security, the site that first broke the store of the Target leak.
So far, we've still seen no indication from official sources that the breach affected any online shoppers. A Chicago Tribune article posted today speculates that it might have, and appears to imply that the speculation came from Target spokeswoman Molly Snyder. However, the article offers no direct quote or supporting documentation, and neither Target nor Krebs have made any statements or dropped any hints to that effect. We feel that if online shopping also was breached, it would be a much bigger story rather than the unattributed throwaway it seems to be right now. We're currently chalking that up to sloppy journalism, and although we won't exclude the possibility since we're not close to the investigation in any way, the best information out there right now still seems to indicate that online shoppers were not affected.
“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” said Gregg Steinhafel, Target's chairman, president and chief executive officer. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”
Understanding that credit card fraud and identify theft are real concerns for millions of customers, Target is offering one year of free credit monitoring and identity theft protection to all guests who shopped in store during the breach period.
“We know this incident has been a confusing and stressful time for our guests, and for that we apologize,” said Scott Kennedy, president, Finance and Retail Services, Target. “We hope this offer provides them with additional peace of mind.”
Target expects to announce details about the free credit monitoring offer next week, and we'll follow up on our blog once they're available. (UPDATE 1/13/14: Registration is now live and we've posted the info here: How to Sign Up for Free Credit Monitoring from Target)
In the meantime, there are things that all affected customers should do to protect themselves from fraud and identity theft.
- Change your PIN number. Not just for the card that was affected by the breach, but for all accounts where you might use the same PIN. It's not advisable to use the same PIN or password for different accounts of any kind but let's face the facts: people do and always will. If your PIN and personal info were stolen, it might lead intrepid hackers to other accounts that you own.
- Watch your statements for anything out of the ordinary. Report it right away if there is.
- Put a fraud alert on your credit report. Call all three of the major credit bureaus to do this right. We've included contact info for each at the end of this post.
- Check your credit report regularly. Which you should be doing regularly anyway.
- Beware of phishers. The folks who now have stolen phone numbers and email addresses will be calling and emailing and generally trying to trick you into giving away sensitive information. They may even mention the Target data breach as the reason they're calling. Never give any personal info to an unsolicited caller, and know that no reputable business ever asks for sensitive info over email.
You can also go for the nuclear option and ask for a new card.