As you may have heard from the copious news coverage (including our own post this morning) Target’s stores in the US were the target of a security breach which has given criminals access to the data from the magnetic strips on customers’ credit and debit cards. This data includes the customer’s name, credit or debit card number, the card’s expiration date and CVV (the three-digit security code).
Indications are that this breach began near the end of November, though some sources say it may have begun as early as mid-November, and it was closed on December 15. If you shopped in a Target store during that period of time, you may be wondering how to identify or mitigate problems caused by this breach. Here are a few steps you can take now:
The first, and most important thing you can do is to check the transactions for the credit and debit cards you used at Target stores during this time period. If you see activity that you do not recognize, it is important that you notify the card issuer immediately.
Keep in mind that although we have reports that some of this stolen data is already being used for fraud, the criminals may not use or sell all of the stolen data right away (in order not to flood the market and devalue the data, they may sell it over the course of several months). You will need to be vigilant with these accounts for a while.
Reports are that the site for Target’s REDcard are overwhelmed, and may not be responding, so you may need to be patient and try again periodically.
If you would rather not wait for the hammer to drop on criminals potentially selling your stolen data, especially if the card in question is a debit card which pulls funds directly from your bank account, you may wish to ask for a replacement card. Keep in mind that if you have any auto-pay accounts that reference this account number, you will need to update that information. By asking for a replacement card, you will have more outlay of time now, in the hopes of preventing a bigger outlay of time in the future, if your card data does get stolen. The Federal Trade Commission offers a lot of advice on dealing with lost or stolen cards.
If the card that was used was a debit card, you may wish to change your PIN. On December 27 Target confirmed that encrypted PINs were part of the data gathered in the breach. While the criminals may not have decrypted this information, many people use weak PINs that are easy to guess. Making this change is a small step that can greatly improve your security.
Criminals could take the data they have stolen and combine it with other data to wreak more havoc. It is a good idea to regularly monitor your credit report, to identify and then report any fraudulent transactions. Target has provided detailed contact information for the three credit reporting agencies. You may also want to look into setting up a fraud alert or a credit freeze if you want additional protection against fraudsters trying to get credit in your name. Be aware that these steps will also mean you have to go through additional verification if you wish get credit, for the duration of the alert or freeze.
There is no indication that Target.com was compromised, but this incident is a good reminder to be vigilant about choosing strong passwords and changing them often.
Beware of scams: Criminals are aware that people will be feeling especially anxious about their security and privacy as a result of this incident. This could lead to other scams. Some folks may, ironically, be more apt to fall for social engineering tactics that prey on this fear of their cards being compromised. Be sure not to click on links in emails purporting to come from businesses using this angle, especially if they appear suspicious in any way. Instead, you should type the expected URLs into your browser directly to contact companies.
[Update December 20: Details of how card data are being sold are now emerging.]
Big hat tip to Brian Krebs for breaking this story.
Author Lysa Myers, ESET