3

"We're sorry you got hacked": Target's letter to unlucky shoppers

A Marketplace staffer / Target "guest" received this email from the beleagured chain this morning. They're offering victims a year of credit monitoring, deep regrets, and some (all-too-useful?) advice

Dear Target Guest,
As you may have heard or read, Target learned in mid-December that criminals forced their way into our systems and took guest information, including debit and credit card data. Late last week, as part of our ongoing investigation, we learned that additional information, including name, mailing address, phone number or email address, was also taken.I am writing to make you aware that your name, mailing address, phone number or email address may have been taken during the intrusion.

I am truly sorry this incident occurred and sincerely regret any inconvenience it may cause you. Because we value you as a guest and your trust is important to us, Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian's® ProtectMyID® product which includes identity theft insurance where available. To receive your unique activation code for this service, please go to creditmonitoring.target.com and register before April 23, 2014. Activation codes must be redeemed by April 30, 2014.
In addition, to guard against possible scams, always be cautious about sharing personal information, such as Social Security numbers, passwords, user IDs and financial account information. Here are some tips that will help protect you:

• Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number.
• Delete texts immediately from numbers or names you don't recognize.
• Be wary of emails that ask for money or send you to suspicious websites. Don't click links within emails you don't recognize.
Target's email communication regarding this incident will never ask you to provide personal or sensitive information.
Thank you for your patience and loyalty to Target. You can find additional information and FAQs about this incident at our Target.com/databreach website. If you have further questions, you may call us at 866-852-8680.
Gregg Steinhafel

Chairman, President and CEO

Want to go shopping, anyone?

Log in to post3 Comments

I have also received this letter but unfortunately the so called protection is only available to persons with US social security numbers. This is unfortunate as there are several customers like myself that are visitors to the US and are exposed to identity theft due to this breach.

I too received one of these e:mails. The great irony for me was that 'tips' for safeguarding my data all focused on things I can do to keep from allowing access to my account information when responsibility for this breach rests entirely with Target. Other than no longer using my credit card at Target (or most other retailers) nothing I do will prevent this type of illicit access to my credit card information.

Sadly, there has been little scrutiny on what Target should have been doing to prevent this situation. How was the data stored? Was it encrypted? Was the data broken out over several locations that require a synching algorithm to match the data back together in the event that all data across those locations was stolen? The theft of the information itself cannot be completely prevented. However, assuming that Target's access security was responsibly and adequately (using 'adequate' in the auditing sense of control assessment) implemented there is another layer of security that should be expected. That layer is one in which the case of the data itself being compromised is reviewed and the usefulness of that data to an unauthorized user is mitigated...in short, set the data up in such a way that a thief who gets the files cannot manipulate the data to obtain any value from it.
Since so many companies seem to be derelict in their duties on this front it is time for some stronger regulatory standards around customer data security so that we consumers can be assured of at least minimum standards and then make choices with that knowledge.

Beyond any of this is, of course, the question of who owns the individual's credit data remains. That is not an easy question to answer but it is one that needs to be discussed broadly and at least begun have answers pursued. We all like the ease of one-touch style on-line shopping but there are potential risks involved. We all like to think of 'our' data even though we have done nothing to massage it into any particularly useful format that allows our easy purchase of goods. At the same time, we reasonably expect certain types of activity surrounding that data while never imagining some of the other activities taking place with that same data and the way it is collected.

I too received one of these e:mails. The great irony for me was that 'tips' for safeguarding my data all focused on things I can do to keep from allowing access to my account information when responsibility for this breach rests entirely with Target. Other than no longer using my credit card at Target (or most other retailers) nothing I do will prevent this type of illicit access to my credit card information.

Sadly, there has been little scrutiny on what Target should have been doing to prevent this situation. How was the data stored? Was it encrypted? Was the data broken out over several locations that require a synching algorithm to match the data back together in the event that all data across those locations was stolen? The theft of the information itself cannot be completely prevented. However, assuming that Target's access security was responsibly and adequately (using 'adequate' in the auditing sense of control assessment) implemented there is another layer of security that should be expected. That layer is one in which the case of the data itself being compromised is reviewed and the usefulness of that data to an unauthorized user is mitigated...in short, set the data up in such a way that a thief who gets the files cannot manipulate the data to obtain any value from it.
Since so many companies seem to be derelict in their duties on this front it is time for some stronger regulatory standards around customer data security so that we consumers can be assured of at least minimum standards and then make choices with that knowledge.

Beyond any of this is, of course, the question of who owns the individual's credit data. That is not an easy question to answer but it is one that needs to be discussed broadly and at least begun have answers pursued. We all like the ease of one-touch style on-line shopping but there are potential risks involved. We all like to think of 'our' data even though we have done nothing to massage it into any particularly useful format that allows our easy purchase of goods. At the same time, we reasonably expect certain types of activity surrounding that data while never imagining some of the other activities taking place with that same data and the way it is collected.

With Generous Support From...