Target’s data breach gets uglier
Target revealed last week that its pre-Christmas security breach was much worse than thought. Instead of some 40 million credit and debit card accounts, 70 million to 110 million were affected.
Target said Friday that its ongoing investigation found information from at least 70 million consumers, apart from the 40 million payment card accounts previously disclosed, was stolen during the data breach. It said this is not a new breach and there may be some overlap between the two groups.
Also, even more personal data — including phone numbers as well as e-mail and mailing addresses — were stolen. Initially, hackers were believed to have taken just payment card data: names, card numbers, card expiration dates, debit-card PINs and the embedded code on the magnetic strip on the back of cards.
The ongoing investigation showed that much of the data was partial in nature. Advice will be send to consumers with possibly stolen e-mail addresses to guard against consumer scams.
"I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this," said Gregg Steinhafel, chairman, president and CEO, Target, in another apology that was printed, among other places, in a full page ad in the New York Times this morning.
Target shaved its fourth-quarter earnings guidance with comps now expected to decline 2.5 percent in the period, down from prior guidance of flat comps. Stronger-than-expected sales prior to the Dec. 19 breach revelation were followed by "meaningfully weaker-than-expected sales since the announcement, which have shown improvement in the last several days."
The new breach disclosures led to another round of widespread negative media coverage and security warnings. Target still hasn’t explained how hackers accessed the data.
Although some felt Target was being as forthcoming and reassuring as possible, some felt more steps, such as TV commercials, would be necessary to regain shoppers’ trust. Beyond apologies, Target offered a 10 percent discount the last weekend before Christmas as well as free credit monitoring and identity theft protection.
"Target is in a critical situation with consumers because its credibility and brand loyalty are being questioned,’ David Johnson, CEO of Strategic Vision, LLC, a crisis management firm, told the Associated Press.
Hemu Nigam, CEO of SSP Blue, a security consulting company, told the New York Times, "At this point they’re really in that stage of having to showcase what they’re doing to go forward."
Other stories explored what the deepening breach — estimated now to be bigger than TJX’s 2007 breach — would mean for other retailers and shoppers’ anxieties overall. A report Friday indicated Neiman Marcus was also investigating a similar data breach.
"It’s 2014," Ken Stasiak, CEO of SecureState, told NBC News. "We expect retailers of this magnitude to have better security, weigh their risks and spend the resources necessary to secure their data."
- Target Provides Update on Data Breach and Financial Performance – Target
- Target: Data breach caught up to 70M customers – The Associated Press/Boston.com (tiered sub.)
- Target Breach Affected Up to 110 Million Customers – The New York Times (tiered sub.)
- Target Increases Number of People Hit in Data Breach – The Wall Street Journal (sub. required)
- ‘Worst breach in history’ puts data-security pressure on retail industry – NBC News
Discussion Questions
Should Target be taking more steps to regain shopper’s trust? What else could they be doing? Is data security being given enough attention by retail overall?
My understanding is this was not limited to those in-store shopping during the period but online as well and anyone in their system is at risk. Neiman’s announcement they were hacked as well, points to a much larger target.
What happens when the hacker is able to use Big Data and connect the customers’ location(s), purchases, credit cards and online behaviors? What will they be able to do?
It is only a matter of time when such “partial information” breach impacts consumers lives. As Google wallet and swipe and pay become more common, and as customers allow apps to access their information on their phones, the chances of more breaches becomes more likely.
I think hacked data will be a big story in 2014. Especially when the data is able to be mined by hackers just like marketers.
Not sure what Target can do. This is bound to happen to more retailers as well. The consumers need to get better prepared and not expect retailers to protect them. I’m surprised more people don’t just lock their credit reports so no one can use it to open a line of credit. I locked mine up years ago and there is simply no need for anyone to see my credit report. It’s not 100% foolproof and I doubt there is anything out there that is.
From what I understand, those who used Target’s REDcard have no worries. Target is just getting all the bad press right now. It will be some other company next.
Maybe it’s time for the consumer to use some common sense and take the first step in protecting themselves. Just like we lock our cars up before we go into a store and shop and then unlock them we use them again. With all the data breaches I think it’s a little too much to expect that retailers will protect us. If they had that ability, there would be no data breaches.
Target needs to get in front of this growing embarrassment and assure consumers that their personal information is safe when shopping in Target stores. One way to do this would be for Target to embrace chip and pin technology and spend the money necessary to offer this service to consumers, starting with REDcard holders. By leading through example, Target could spark a change in customer data security, while bringing the US up to par with the rest of the world. With chip and pin, this data breach would not have happened.
I predicted security will be the 2014 theme of retail and it looks like I’m right. The Neiman Marcus information is still early but indicators are showing it is a very serious data breach and similiar to Target.
No one “hacks” millions of data records, they walk through the front door unnoticed. The next few weeks are going to be very fluid regarding retail security.
The general population is dealing with a breach of trust. As time goes by, the security of Target’s Point Of Sale (POS) and in fact their whole Information Technology (IT) system is highly suspect and most likely a shambles. The entire executive committee of the company has been disclosed as inept and undeserving of the trust placed in their charge. The board of directors needs to make immediate changes for the sake of the investors and the consumers willing to support Target in spite of the obvious risks.
This is no small matter and the only communication from the company is that it is getting worse. If the system has no security, and as we now know it doesn’t, it should be shut down and the company should continue in disaster recovery mode using third party electronic payment support until the company’s IT ans POS systems are rebuilt, tested and certified as safe.
When I first read this statement “I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” I felt it was weak and not reassuring at all. Identity theft is more than “frustrating.” It’s just about the same as having your home burglarized and the associated violations of self. Then there’s all the legwork and scrutiny necessary to protect assets immediately and into the future.
I know that companies hire consultants to audit and install protocols for network security. Evidently there are no standards across retail operations, such as ISO standards. If there are, there’s been no mention. The occurrences at Target and Nieman Marcus suggest that standards must be identified to the public at large with statements of proof they are being adhered to. I’m not pretending I review the elevator inspection documents every time I step onto an elevator. However, retail network security standards, auditing and statements of proof can easily be show cased on retailers’ websites for the public to see. This is not a Target-only or Nieman Marcus-only issue.
As for Target’s next steps, I believe that the offer of security monitoring is a good first one. Then Target must regularly convey what it is doing to insure security and show proof. Hopefully the rest of those organizations that capture personal and financial data will do the same.
Target has been thrust into a leading role in consumer data protection and if it fails to to take action, or if another retailer grabs the lead, the damage to the Target brand will be unrepairable when the results of the breach begin affecting consumers.
Target needs to exceed any action recommended by a crisis management template.
There is no doubt that Target was PCI compliant. This just proves that no matter how secure you think you are, and that no matter what laws or procedures are passed, that if someone wants to hack you, they will. There will always be a way.
They say they are offering credit report monitoring, but I have not received any information from Target to date as to how to access that offer. I used my AE Gold card several times during the vulnerable period.
When the equivalent of a third of the U.S. population may be affected, and the media label this incident the “worst breach in history,” Target really can’t over-communicate with consumers as to what it knows and how it will move forward to protect customer information.
Target has done a good job of coming forward as new developments unfold, though I sense consumers aren’t fully confident that Target is out ahead of this incident, nor that the company is communicating how it will prevent such large-scale data issues in the future. Given the news gets worse week after week, I’m not confident Target is doing everything it can to regain shopper trust.
This issue is not just about Target and other retailers. It’s also about the banks and other card-sponsoring services, and about the lack of attention we devote to protecting our personal information. Here are a couple of thoughts:
First, retailers should forge relationships with banks in which they actively partner their active security systems. On two occasions I’ve been notified by my bank of attempted unauthorized use of my account before I was notified by the retailers fooled by my identity thief. It occurs to me that an ironclad union and synchronization of retailer systems with banking systems would provide a much higher hurdle for hackers and a better early warning algorithm for misuse. Additionally, a “best practices” competition would arise from this partnership with retailers and banks challenging each other to provide the ever-evolving best and newest security systems. It would also solve the complacency exhibited by retailers regarding their systems: In spite of the fact that security systems require frequent updates to be useful, retailers are of the “OK, that’s done” mindset and fail to update.
And second, identity protection services such as LifeLock could be offered by banks free of charge or for an extremely discounted price. By buying millions of LifeLock subscriptions for their depositors, banks would naturally qualify for a bulk-purchase discount.
How is it that 1/3 of the entire population has their private info stolen and there is no political commentary about the responsibility of the retailer to protect this data, or any initial discussions about what changes must be implemented to ensure consumer security?
If the news was that a trusted banking institution had allowed security breaches of 110,000,000 of their clients’ most sensitive data, what would people say then?