Shop at Target recently? Uh-oh...

[Nintendesert]

What makes you think Target did anything wrong, and they weren't just the victims of very good criminals? Whoever pulled this off clearly wasn't a small time organization, after all.

There are still legal obligations for reporting these kinds of frauds I believe. The investigation will also reveal if there was negligence on the part of Target as well. I'm sure we'll find out as they will be sued no doubt.


Edit: It really is the cynic in my when it comes to companies/organizations and security. They usually do the bare minimum to meet some legal requirements and I would argue never meet their ethical obligations for safeguarding customer information. I also have a hard time believing Target is just now finding out about the subsequent 70 million customer's data being stolen and it just stinks of PR damage control instead of doing what's right for customers. Again, I'm just a cynic when it comes to these kinds of incidents. Let's not even get started on the government incompetence when it comes to safeguarding people's personal information...

 

[ViRGE]

They usually do the bare minimum to meet some legal requirements and I would argue never meet their ethical obligations for safeguarding customer information.

I don't disagree with you there. But having been on the receiving end of a hack in the days of yore, I do at least disagree that it's at all evident what has been taken. Simply put, hackers don't leave a list of things they've copied, and good hackers falsify logs. Which makes it a complete bitch to figure out what they've actually done, both for determining the point of entry and what crimes have been committed.:|

 

[Nintendesert]

I don't disagree with you there. But having been on the receiving end of a hack in the days of yore, I do at least disagree that it's at all evident what has been taken. Simply put, hackers don't leave a list of things they've copied, and good hackers falsify logs. Which makes it a complete bitch to figure out what they've actually done, both for determining the point of entry and what crimes have been committed.:|

Very true, proper security is tough. Which is why we hardly get it. I'll be interested to see if the Neiman Marcus customer theft during the same period is related.

I'd like these incidents to force us to ask if these companies should be keeping all this information on customers if they are incapable of securing it. Realistically though we're probably too far down that road.

 

[Nintendesert]

http://ca.news.yahoo.com/exclusive-...s-victims-cyberattacks-024345910--sector.html


Article claims:

Smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target, according to the people familiar with the attacks. Those breaches have yet to come to light. Also, similar breaches may have occurred earlier last year.


The sources said that they involved retailers with outlets in malls, but declined to elaborate.

http://en.wikipedia.org/wiki/Security_breach_notification_laws


A quick read over data breach notification, so I wish everyone good luck and good luck to these companies that aren't living up to the letter of the law. That's going to be one hell of a legal nightmare when the AGs from 50 States come knocking.

We shouldn't be finding out about the extent of these breaches and that there were breaches at all from leaks to the media. That's just wrong.

 

[JimKiler]

Wow. There needs to be a criminal investigation into Target now for this. It really reaks of a coverup and violations of current laws on data breach diclosure.

There are still legal obligations for reporting these kinds of frauds I believe. The investigation will also reveal if there was negligence on the part of Target as well. I'm sure we'll find out as they will be sued no doubt.


Edit: It really is the cynic in my when it comes to companies/organizations and security. They usually do the bare minimum to meet some legal requirements and I would argue never meet their ethical obligations for safeguarding customer information. I also have a hard time believing Target is just now finding out about the subsequent 70 million customer's data being stolen and it just stinks of PR damage control instead of doing what's right for customers. Again, I'm just a cynic when it comes to these kinds of incidents. Let's not even get started on the government incompetence when it comes to safeguarding people's personal information...

Don't you think the release stating another 70 million are affacted is being told to use because of the legal requirement to do so?

Target is a public company and to release bad news like this piecemeal is horrible. Target and all public companies in Targets shoes would much prefer to have one release stating 110 million were affected instead of two statements.

Target said they did not have all the answers when they notified us of the first 40 million, don't you think they are telling us as they learn the truth about this? Are you complaining about Neimen Marcus who had the same issue at the same time frame but only told us now?

That is fine that you think Target is being dishonest but please do not speak like you stating facts when it is your opinion. I am at a loss for your criminal investigation request into Target, as I have not heard of any issues from law enforcement that Target is being dishonest or not taking this seriously.

 

[JimKiler]

http://ca.news.yahoo.com/exclusive-...s-victims-cyberattacks-024345910--sector.html


Article claims:


http://en.wikipedia.org/wiki/Security_breach_notification_laws


A quick read over data breach notification, so I wish everyone good luck and good luck to these companies that aren't living up to the letter of the law. That's going to be one hell of a legal nightmare when the AGs from 50 States come knocking.

We shouldn't be finding out about the extent of these breaches and that there were breaches at all from leaks to the media. That's just wrong.

So how much time between a company knowing and notifying customers is required by your standards? I would argue if there are a lot of customers affected e.g. 70 million it would take a while for Target to notify customers because letters or notifications have to be written and the list of people affected has to be aggregated. Even if that took one business day to occur i could easily see leaks to the media occurring.

 

[Nintendesert]

Are you a Target shill?



Let's clear that up before we even move on. The law already states how long companies have to notify customers and each State has their own laws. Like I stated, the State AGs will have their go at Target and so will the Civil courts. Target will also get to enjoy the fines levied by the CC companies. Target is also the thread title and the NM news is only a tangent to it. The 3 stores reported to be hiding this information are also despicable.

 

[Nintendesert]

http://www.nbcnews.com/business/why-did-target-take-so-long-report-data-security-breach-2D11783300


Here's an early article about how long it took with plenty of reasons why. It's from December 20th. It glosses over their requirements for reporting and the wishy washy wiggle room most laws give them.

http://www.theguardian.com/technology/2013/sep/26/silent-circle-major-companies-data-breaches

Here's another showing how companies routinely hide the information on data breaches.

There WILL be an investigation into Target and hopefully we will find out if they tried to hide this data breach due to investigations or an attempt to get through the very lucrative and busy Holiday shopping season.

Delays in notification for a legitimate investigation are one thing, delaying in an attempt to get through the holiday season to make money are not. We learned of this breach not through Target but through leaks. Just like the other data breaches. If that doesn't concern you after reading how emails demonstrate companies active attempts to hide these breaches, well, enjoy shopping at Target.

 

[JimKiler]

http://www.nbcnews.com/business/why-did-target-take-so-long-report-data-security-breach-2D11783300


Here's an early article about how long it took with plenty of reasons why. It's from December 20th. It glosses over their requirements for reporting and the wishy washy wiggle room most laws give them.

http://www.theguardian.com/technology/2013/sep/26/silent-circle-major-companies-data-breaches

Here's another showing how companies routinely hide the information on data breaches.

There WILL be an investigation into Target and hopefully we will find out if they tried to hide this data breach due to investigations or an attempt to get through the very lucrative and busy Holiday shopping season.

Delays in notification for a legitimate investigation are one thing, delaying in an attempt to get through the holiday season to make money are not. We learned of this breach not through Target but through leaks. Just like the other data breaches. If that doesn't concern you after reading how emails demonstrate companies active attempts to hide these breaches, well, enjoy shopping at Target.

Thanks for the links, I was jumping a few pages and only read your recent posts which did not have these links.

 

[JimKiler]

Per the TV news I watched yesterday and this yahoo article it appears I should be proactive and request a new credit card and change my online passwords since I believe my data was in the attack.

I should check my emails from Target, I think they state I am a victim. I seemed to only get a blanket email and nothing said specifically i was a victim but i have a credit monitoring email from Target so the hackers must have gotten my info right?

Second why would i change online passwords? I did not hear anything about that data being stolen, or am i wrong?

Third I am expecting Target to send me a new redcard credit card if I was in the theft. Do they expect me to get a new redcard? Shouldn't Target also be telling the other banks which accounts were stolen so the banks can automatically send out new cards for non redcard members? I know PCI compliance requires cc numbers to be encrypted but if Target knows the bank and the user name can they proactively tell the banks which cards were affected? Maybe they don't know the bank names. Either way Target should tell us to request new credits cards right if we don't have the Target redcard right?

This post through #118 merged into this thread.
admin allisolm

 

[IronWing]

Ignore Target. The route of the data theft is not the issue at this point. Talk to your bank. If it were me, I'd request new cards for any account I used at Target.

If I had a Target branded CC I'd either request a new one or cancel.

 

[OCGuy]

Target is more worried about the data breach than the credit card consumers are. The financial backer is on the hook for CC fraud, debit fraud varies by bank.

The credit monitoring email was most likely put out by Target as a PR thing to calm down consumers, but it looks like it has actually don't the opposite according to your post.

 

[JimKiler]

Ignore Target. The route of the data theft is not the issue at this point. Talk to your bank. If it were me, I'd request new cards for any account I used at Target.

If I had a Target branded CC I'd either request a new one or cancel.

I only have a Target Redcard that i use at Target so Target should want to prevent fraud and change my card if I was affected.

 

[nageov3t]

personally, I'm just keeping a slightly closer eye on my CC statements than usual for any atypical activity, although my experiences with Chase over the years is that they usually catch that type of stuff instantly.

 

[BarkingGhostar]

Ignore Target. The route of the data theft is not the issue at this point. Talk to your bank. If it were me, I'd request new cards for any account I used at Target.

If I had a Target branded CC I'd either request a new one or cancel.

Some card issuers are playing hardball when it comes to such requests. They claim there is no need to replace the card with one with a new number as 'they are monitoring' activity.

I feel that consumer confidence should come before issuer workload stress in the framework of having to replace millions of cards/numbers, but hey, we can't all be thinking like Amex.

But I'm the type of counter-hardballer and will seek Amex to replace existing cards with new cards featuring new numbers. That or just close my multiple Amex accounts. If they do not wish to instill consumer confidence then why do business with them?

 

[IronWing]

I only have a Target Redcard that i use at Target so Target should want to prevent fraud and change my card if I was affected.

Do you really care what Target should want? Any future fraud on the card will be, at minimum, a hassle for you. If you request a new card now, you control the timing of the account switchover. If you wait for fraud to pop up then the timing of killing the old card and issuing the new card might be an additional inconvenience on top of dealing with any fraudulent charges.

I've had to get new cards twice in the past two years due to fraud. I wasn't liable for the charges but it was still a pain in the butt.

 

[JimKiler]

Some card issuers are playing hardball when it comes to such requests. They claim there is no need to replace the card with one with a new number as 'they are monitoring' activity.

I feel that consumer confidence should come before issuer workload stress in the framework of having to replace millions of cards/numbers, but hey, we can't all be thinking like Amex.

But I'm the type of counter-hardballer and will seek Amex to replace existing cards with new cards featuring new numbers. That or just close my multiple Amex accounts. If they do not wish to instill consumer confidence then why do business with them?

With AMX or a credit card if they told me that I would be okay. If I used my debit card (which I do not) I would definitely require a new number to continue to get my business.

 

[OCGuy]

Some card issuers are playing hardball when it comes to such requests. They claim there is no need to replace the card with one with a new number as 'they are monitoring' activity.

I feel that consumer confidence should come before issuer workload stress in the framework of having to replace millions of cards/numbers, but hey, we can't all be thinking like Amex.

But I'm the type of counter-hardballer and will seek Amex to replace existing cards with new cards featuring new numbers. That or just close my multiple Amex accounts. If they do not wish to instill consumer confidence then why do business with them?

You don't instill confidence in the human race if you don't even know how credit cards, including Amex, work.

It is Amex's gamble, not yours.

 

[destrekor]

Everyone should be checking their statements a lot more closely, regardless of where you shop.

The malware responsible for this is pretty damn cheap, and is extremely effective against even the systems (and "security") of national retailers... guess what that means for local businesses?

Some of the criminals taking part in these activities are shooting for the big databases, so they can sell a large amount of data to whoever wants it. Many, however, are going to settle for small gains.

So many mom&pop shops are never going to realize something is amiss, not immediately at least. And credit issuers are going to have a harder time noticing trends that are based around local stores.

We all need to be on guard, because the malware is both effective and very cheap. I think the one report said he was selling it to interested parties for a couple thousand dollars.

 

[Chiefcrowe]

Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It

http://www.businessweek.com/article...issed-alarms-in-epic-hack-of-credit-card-data

 

[Gooberlx2]

Yeah, ignore the urgent highest-graded security alerts from the super-duper security firm you hired...

 

[jlee]

"Target spent $61 million through Feb. 1 responding to the breach"

Sure makes hiring a bunch of competent security guys at six figures each seem pretty reasonable..

 

[who?]

My friend Olivia used her Discover card at Aldi, she hadn't used that card in months and within minutes there were fraudulent charges.This was just last week.She sent Aldis an email about this on their website because they don't have a public phone number.

 

[Elixer]

My friend Olivia used her Discover card at Aldi, she hadn't used that card in months and within minutes there were fraudulent charges.This was just last week.She sent Aldis an email about this on their website because they don't have a public phone number.

That must be quite a trick, since Aldi only takes debit cards...

 

[chowderhead]

Yeah, ignore the urgent highest-graded security alerts from the super-duper security firm you hired...

promote to CIO/Executive VP of Technology someone who started with the company as an assistant buyer and then ran the company's call centers and who had no experience in computer science.