What does the Target data breech actually mean to me?
January 21, 2014 6:00 AM Subscribe
I shopped at Target twice during the period last year that their customer data was compromised. I used my debit card once (which, ugh, I never shop with, but I must have needed cash back), and my credit card once. And apparently other information, like home and e-mail addresses, was also taken. How concerned should I really be, and how much effort should I put into changing card numbers and monitoring my own information?
I've had my credit card number stolen before, and while it's a hassle, the card company was very good about alerting me immediately, sending a new card, and stopping any disputed charges. My debit card was also compromised once, and again it was caught and taken care of immediately. I'm not super concerned about the credit card because it's one I barely use, but should I have my debit card replaced? I keep a close eye anyway on charges on my credit and debit cards, and think I would notice anything suspicious.
What does the leak of my personal information (name, address, e-mail) mean for me? It's not exactly top secret information, though obviously having it all published in one spot makes it easier for someone to use it. Is this enough information that someone could open a line of credit or something in my name? (But if they use my address/e-mail, wouldn't I find out about it via mail or e-mail?) Was any other sensitive information leaked, like Social Security Number or passwords?
Should I sign up for the one year of credit monitoring that Target is offering? I do get a monthly credit score from my credit union, so I would see if there were a sudden change in the number. Is it even worth it, considering it might be longer than a year before someone decides to use my info?
Basically, how concerned should I really be, and how much effort should I put into changing card numbers and monitoring my own information?
I've had my credit card number stolen before, and while it's a hassle, the card company was very good about alerting me immediately, sending a new card, and stopping any disputed charges. My debit card was also compromised once, and again it was caught and taken care of immediately. I'm not super concerned about the credit card because it's one I barely use, but should I have my debit card replaced? I keep a close eye anyway on charges on my credit and debit cards, and think I would notice anything suspicious.
What does the leak of my personal information (name, address, e-mail) mean for me? It's not exactly top secret information, though obviously having it all published in one spot makes it easier for someone to use it. Is this enough information that someone could open a line of credit or something in my name? (But if they use my address/e-mail, wouldn't I find out about it via mail or e-mail?) Was any other sensitive information leaked, like Social Security Number or passwords?
Should I sign up for the one year of credit monitoring that Target is offering? I do get a monthly credit score from my credit union, so I would see if there were a sudden change in the number. Is it even worth it, considering it might be longer than a year before someone decides to use my info?
Basically, how concerned should I really be, and how much effort should I put into changing card numbers and monitoring my own information?
Best answer: I keep a close eye anyway on charges on my credit and debit cards, and think I would notice anything suspicious.
This is all you really need to do and it's what everyone should be doing anyways. You can help yourself out some by using a credit card in place of a debit card and paying off the full balance every month. It's easy to manage if the credit card you use is issued by the bank where you have your checking account. The logistics of dealing with fraudulent charges on a credit account are easier than dealing with fraudulent charges on a debit account (Eg: your checking account) because you've just temporarily lost access to that line of credit (which you don't actually need) instead of your actual cash (which you might need). There are also some budgeting and cash flow benefits that I won't go into (memail me if you're interested).
Name, address, e-mail and card number are not enough information to open a line of credit. They'd also need your social security number which, I suppose they could use the information they have to try and obtain. But that would be a lot of work and with most of the people they made the attempt on, they'd fail so it's probably not a worthwhile endeavor for the criminals. For a lot of things they'd need your current and past employment information and copies of paystubs and W-2s.
As someone who worked in retail banking and helped people deal with fraud all the time (as well as preventing some myself) I'm not doing anything I don't normally do. I'm not even going to bother signing up for the credit monitoring but it's free so it really can't hurt.
posted by VTX at 6:30 AM on January 21, 2014 [1 favorite]
This is all you really need to do and it's what everyone should be doing anyways. You can help yourself out some by using a credit card in place of a debit card and paying off the full balance every month. It's easy to manage if the credit card you use is issued by the bank where you have your checking account. The logistics of dealing with fraudulent charges on a credit account are easier than dealing with fraudulent charges on a debit account (Eg: your checking account) because you've just temporarily lost access to that line of credit (which you don't actually need) instead of your actual cash (which you might need). There are also some budgeting and cash flow benefits that I won't go into (memail me if you're interested).
Name, address, e-mail and card number are not enough information to open a line of credit. They'd also need your social security number which, I suppose they could use the information they have to try and obtain. But that would be a lot of work and with most of the people they made the attempt on, they'd fail so it's probably not a worthwhile endeavor for the criminals. For a lot of things they'd need your current and past employment information and copies of paystubs and W-2s.
As someone who worked in retail banking and helped people deal with fraud all the time (as well as preventing some myself) I'm not doing anything I don't normally do. I'm not even going to bother signing up for the credit monitoring but it's free so it really can't hurt.
posted by VTX at 6:30 AM on January 21, 2014 [1 favorite]
Best answer: There's not much downside to the free monitoring. We also had a credit card affected but our bank took the step of issuing a new one without any prompting from us. Loss of the other personal information potentially sets a person up to be a more focused target of fraud e-mail, but with 70M other victims out there there's a bit odd safety in numbers.
The biggest risk for folks who had debit cards (and PINs) compromised was that their accounts could be drained quickly, which is problem enough, but would be compounded by missed automatic payments, bounced checks, and so on.
Full disclosure: my employer has been publicly named in the clean-up operations. Any opinions in this post are mine alone.
posted by jquinby at 6:31 AM on January 21, 2014
The biggest risk for folks who had debit cards (and PINs) compromised was that their accounts could be drained quickly, which is problem enough, but would be compounded by missed automatic payments, bounced checks, and so on.
Full disclosure: my employer has been publicly named in the clean-up operations. Any opinions in this post are mine alone.
posted by jquinby at 6:31 AM on January 21, 2014
Best answer: Use it as an opportunity to get a new card. Personally, in the internet age, it boggles me that people still keep the same debit card longer than twelve months (sometimes for years, as in pressuring their bank into letting them keep the same card numbers on a new card). Target isn't the only vendor who has accidentally leaked your information, but they are one of the few who let you know about it because they were made aware. You don't even have to cancel your old card while you wait for the new one; simply request a new card and activate it when it shows up. Yes, you'll have to re-input your card numbers on auto-pay sites, but you should go over those periodically anyway. Make it a Saturday afternoon project and you'll feel better about this issue in general.
posted by theraflu at 6:38 AM on January 21, 2014 [3 favorites]
posted by theraflu at 6:38 AM on January 21, 2014 [3 favorites]
Best answer: What does the leak of my personal information (name, address, e-mail) mean for me? It's not exactly top secret information, though obviously having it all published in one spot makes it easier for someone to use it.
Someone who has acquired access to your personal information, including your email address, knows that you shop at Target. That makes you vulnerable to well-crafted 'spear phishing' emails, pretending to be from Target. Be very careful about links you click in any emails you receive in the future that claim to be from Target.
posted by hanov3r at 6:40 AM on January 21, 2014 [1 favorite]
Someone who has acquired access to your personal information, including your email address, knows that you shop at Target. That makes you vulnerable to well-crafted 'spear phishing' emails, pretending to be from Target. Be very careful about links you click in any emails you receive in the future that claim to be from Target.
posted by hanov3r at 6:40 AM on January 21, 2014 [1 favorite]
Be very careful about links you click in any emails you receive in the future that claim to be from Target.
Yes, exactly. I got an email the other day that was supposedly from Target and I thought to myself "this is very strange because I have not shopped at Target since maybe 2005, what is happen." So presumably the Target-based phishing of emails in general has started already.
posted by elizardbits at 6:51 AM on January 21, 2014
Yes, exactly. I got an email the other day that was supposedly from Target and I thought to myself "this is very strange because I have not shopped at Target since maybe 2005, what is happen." So presumably the Target-based phishing of emails in general has started already.
posted by elizardbits at 6:51 AM on January 21, 2014
I'm not signing up for credit monitoring because I don't want to deal with cancelling that service in a year. My normal vigilance gives me peace of mind enough. I didn't shop at Target during the time frame of the incident, though. If that had happened, I'd definitely get a new debit card ASAP (why not? many branches can even print your new debit card right away at the bank, call and see). And, in that case, I'd think about the monitoring, but if I went for it, I'd be sure to mark the renewal date on the calendar (actually 2 weeks ahead of time to give me a heads up to cancel).
posted by xiaolongbao at 7:04 AM on January 21, 2014
posted by xiaolongbao at 7:04 AM on January 21, 2014
Best answer: You should probably just ask your bank for a new credit card - and change your debit card pin. I think the banks are dragging their feet on offering new cards just because of the number of cards involved, but since they're the ones who will be left holding the bag if your card is used fraudulently, it is in their interest to give you a new card.
From what I've read, some batches of stolen card #s have shown up on the black market, and the expectation is that more will over the next couple of months. I don't know exactly why the cards #s are being marketed in dribs & drabs, but one possible reason is that people are being hyper-vigilant now, and will get tired of doing so after a while.
posted by mr vino at 7:13 AM on January 21, 2014
From what I've read, some batches of stolen card #s have shown up on the black market, and the expectation is that more will over the next couple of months. I don't know exactly why the cards #s are being marketed in dribs & drabs, but one possible reason is that people are being hyper-vigilant now, and will get tired of doing so after a while.
posted by mr vino at 7:13 AM on January 21, 2014
There are many bogus Target e-mails going out. The real one from Target is actually posted on CNN so folks know what the legit one looks like.
posted by jquinby at 7:16 AM on January 21, 2014
posted by jquinby at 7:16 AM on January 21, 2014
(actually, CNN links to Target's corporate website - the note is hosted here)
posted by jquinby at 7:17 AM on January 21, 2014 [1 favorite]
posted by jquinby at 7:17 AM on January 21, 2014 [1 favorite]
I've actually been enrolled in the same monitoring service that Target's offering, for about a year and a half now for two other data breaches, and both times that I opted into it, at no time during the either of the signup processes or during the expiration of the year I got for the first breach, did I ever have to deal with a hassle of canceling it.
Sure there were offers for me to sign up on my own dime, but you specifically had to tell them that's what you wanted to do. I would think there would be no harm in at least looking at the signup process and seeing if it's still like that, or they've added in automatic renewals.
posted by radwolf76 at 7:57 AM on January 21, 2014
Sure there were offers for me to sign up on my own dime, but you specifically had to tell them that's what you wanted to do. I would think there would be no harm in at least looking at the signup process and seeing if it's still like that, or they've added in automatic renewals.
posted by radwolf76 at 7:57 AM on January 21, 2014
Nthing radwolf76: I've signed up for the service as an affected Target customer. I was not asked for a payment method or told it was on auto-renewal, and (so far) there's been no pressure to opt into additional services. (FWIW, that was also true for a different service I enrolled in a couple of years ago, for a different data breach.)
posted by gnomeloaf at 8:03 AM on January 21, 2014
posted by gnomeloaf at 8:03 AM on January 21, 2014
Best answer: I monitor all my accounts multiple times a week either way, but why not just get new cards? Why risk your card being used a month or a year from now? I waited until all our Christmas returns were done and then requested a new Target Red Card (the only card I use at Target). I also linked the Red Card to a different bank (it's debit), so that a thief won't be draining my normal checking account.
posted by getawaysticks at 8:57 AM on January 21, 2014
posted by getawaysticks at 8:57 AM on January 21, 2014
Request a new card from your credit card company. Take advantage of the credit monitoring that Target is offering compromised customers.
posted by Ruthless Bunny at 9:29 AM on January 21, 2014 [2 favorites]
posted by Ruthless Bunny at 9:29 AM on January 21, 2014 [2 favorites]
"this is very strange because I have not shopped at Target since maybe 2005, what is happen."
I got an email sent to a nearly-new email account from Target. The email address was only on file with a third-party processor (business partner of Target). I bought something from Target via that third-party processor 10 years ago. I gave that third party processor my new email address (the one Target just emailed) about a year ago. No other company has that email address assigned to them since it was created about a year ago. I have verified all the information stated here because I wanted to know why Target had that email address, and wanted to confirm it was a legit email. It was a legit email.
I have gotten no bogus emails spearing me about the Target thing.
posted by tilde at 9:47 AM on January 21, 2014
I got an email sent to a nearly-new email account from Target. The email address was only on file with a third-party processor (business partner of Target). I bought something from Target via that third-party processor 10 years ago. I gave that third party processor my new email address (the one Target just emailed) about a year ago. No other company has that email address assigned to them since it was created about a year ago. I have verified all the information stated here because I wanted to know why Target had that email address, and wanted to confirm it was a legit email. It was a legit email.
I have gotten no bogus emails spearing me about the Target thing.
posted by tilde at 9:47 AM on January 21, 2014
At the very least, for Bank of America, they told me it would do me no good to replace my debit card, as without a record of fraud on the account, they would simply pass through any charges made on my old card to my checking account, whether I had canceled it or not.
So simply replacing the card may or may not help.
posted by needlegrrl at 11:10 AM on January 21, 2014
So simply replacing the card may or may not help.
posted by needlegrrl at 11:10 AM on January 21, 2014
@tilde - was that third-party processor Amazon, by any chance?
@needlegrrl - interesting. I'm a BoA customer. Walked into my local BoA branch the day before Christmas, told them I'd shopped at Target during the breach period, was going to be traveling the next week, and wanted to be sure that nothing would pop up that might impact my ability to use my debit card or get cash, and they were more than happy to replace my card and assure me that any charges that were not already in process for the old card would be denied. *shrug*
posted by hanov3r at 12:41 PM on January 21, 2014
@needlegrrl - interesting. I'm a BoA customer. Walked into my local BoA branch the day before Christmas, told them I'd shopped at Target during the breach period, was going to be traveling the next week, and wanted to be sure that nothing would pop up that might impact my ability to use my debit card or get cash, and they were more than happy to replace my card and assure me that any charges that were not already in process for the old card would be denied. *shrug*
posted by hanov3r at 12:41 PM on January 21, 2014
Response by poster: Thanks all! I think I will go ahead and get new cards and continue monitoring my accounts myself, but I will likely not take Target up on their offer of credit monitoring. I am pretty skeptical and savvy about e-mails and other communications from companies, so will keep an eye out for any scammy messages.
By the way, if you received a message from Target even if you haven't shopped there recently, it's because you were one of the 70 million customers whose name/address/etc. was leaked. This article has more information.
posted by LolaGeek at 7:46 PM on January 21, 2014
By the way, if you received a message from Target even if you haven't shopped there recently, it's because you were one of the 70 million customers whose name/address/etc. was leaked. This article has more information.
posted by LolaGeek at 7:46 PM on January 21, 2014
Target is now saying that it wasn't just transaction data that occurred between November and December that was compromised. The breach may also comprise any previously stored customer information from the last 10 years, it's just that it happened to have been stolen during that time frame. So if you ever let Target scan your ID to buy alcohol, video games or cold medicine that information may now be in the ether along with your debit and credit info.
Don't forget that Target has also built up a huge database of customer information that allows it to use predictive behavior analysis to send coupons to customers and keep track of their purchasing trends. Keep in mind that this is how Target outed a pregnant teenager to her father.
Was any of that breached as well? We may never know.
Also, Target has probably reached out to some of the datamining firms to find email addresses for customers that it didn't have email addresses for. I got the same notification email at an address that they never, ever had and I'm pretty sure that's how they got it.
posted by Arrrgyle at 5:07 AM on January 22, 2014
Don't forget that Target has also built up a huge database of customer information that allows it to use predictive behavior analysis to send coupons to customers and keep track of their purchasing trends. Keep in mind that this is how Target outed a pregnant teenager to her father.
Was any of that breached as well? We may never know.
Also, Target has probably reached out to some of the datamining firms to find email addresses for customers that it didn't have email addresses for. I got the same notification email at an address that they never, ever had and I'm pretty sure that's how they got it.
posted by Arrrgyle at 5:07 AM on January 22, 2014
This thread is closed to new comments.
I also just called the bank, they will send a new card and I will then cancel the old one. I put about 10 minutes into doing this (my coffee is still warm), it was pretty easy.
posted by carter at 6:27 AM on January 21, 2014 [2 favorites]