Target announced this morning that the breach that was originally thought to affect 40 million shoppers who had used credit and debit cards in their stores between the end of November and December 15, is now much larger than it initially appeared. The company is now indicating that additional data on 70 million more shoppers was exposed. Currently it is not clear if this is in addition to, or overlapping the original 40 million records, but several news sources are saying the breach could affect as many as 110 million shoppers. What is worrying about this latest revelation, in addition to the sheer numbers, is that exposed data is now thought to include more than just card data, so email, address, and phone numbers could be exposed.
The initial announcement by Target indicated that only credit and debit card information was stolen, and after forensic examination began, explanation of the stolen data was soon amended to included encrypted PINs for debit cards. This greatly increased the risk of fraudulent use of those cards, for customers who had shopped at Target during the time-period of the breach. Now, as it is becoming clear that the thieves are actively trying to decrypt the PINs the risk for those debit card users continues to grow.
This latest revelation hints at a much bigger problem, as the new information gathered is not just data that is typically used in the processing of credit or debit card transactions, and it is not entirely clear where the thieves got this information. It seems likely that it was more than just credit and debit card users that were affected, though it is not clear which other Target shoppers make up the remaining records. It could be that shoppers who paid cash but provided additional information comprise some of that difference.
In light of the potential doubling of the number of affected users, and the potential for an increase in the possibility of identity theft, let us revisit the recommendations from our previous article:
If you used your credit or debit card at Target between the end of November and December 15, 2013 it is still important that you regularly check your statements for fraudulent transactions. Criminals are likely to hang on to data and use it after attention has died off, so this is something you should continue to do for the foreseeable future.
If you would rather not take the time to continually monitor your card, you may wish to ask for a replacement card instead. Remember, if you have any auto-pay accounts that reference this account number, you will need to update that information when the replacement card is activated. The Federal Trade Commission offers a lot of advice on dealing with lost or stolen cards.
If the card that was used was a debit card, you should change your PIN. Criminals are actively working to crack the encryption used to protect this information, and many people use weak PINs that are easy to guess. You might want to listen to what my colleague Aryeh Goretsky has to say about choosing a good PIN: Listen to podcast now.
It is now clear that the thieves have enough information on some Target customers to carry out identity theft. That makes it even more important to regularly monitor your credit report so that you can spot and then report any fraudulent account activity, like new accounts in your name that you did not authorize. Target has provided detailed contact information for the three credit-reporting agencies, and provided a year of free credit reporting for those that have been affected. You may also want to look into setting up a fraud alert or a credit freeze if you want additional protection against fraudsters trying to get credit in your name. Be aware that these steps will also mean you have to go through additional verification if you wish get credit, for the duration of the alert or freeze.
There is no indication yet that Target.com was compromised, but the forensic investigation on this incident is not yet complete. As a precaution, it is a good idea to make sure your password is strong, and that you change it regularly.
Criminals now have access to more information about Target customers, and are now more likely to use this to send scams or phishing emails. Be sure not to click on links in emails purporting to come from businesses using this angle, especially if they appear suspicious in any way. Instead, you should type the expected URLs into your browser directly to contact companies.
The FTC site is a great source of fresh and useful information for preventing and correcting damage from identity theft, including a particularly nasty version of this crime: tax identity theft. Next week (January 13-17), they are having a number of informational events both online and in locations around the US. This would be an especially good time to educate yourself on how to protect yourself from harm from this breach.
Author Lysa Myers, ESET