Target Breach: How to Lose Friends and Alienate Customers

Target’s response to its recent breach is a good lesson in what not to do after a company experiences a security incident. Other corporations facing the growing risk of data breaches can learn from the many missteps, if not foolish errors, taken by one of the nation’s largest retailers.

The company’s first mistake was bad timing. Hackers stole confidential data of up to 110 million Target customers who shopped at stores from Nov. 27 to Dec. 15. But instead of proactively announcing the breach, Target got scooped by respected security blogger Brian Krebs.
Krebs broke the story on Dec. 18. On the same day, Target CEO Gregg Steinhafel issued the statement that “we are pleased with Target’s holiday performance.” The company confirmed the breach only after the U.S. Secret Service and American Express released their own investigations.

From there, Target made two more egregious errors that sent the wrong message to customers and may jeopardize its financial security.

The first was an email that notified customers of the breach and offered them one year of free credit monitoring through Experian. Here are the problems with that approach:

• The email included a suspicious sender with the address: TargetNews@target.bfi0.com instead of @target.com. Plus, it directed users to click on a link for additional details on the monitoring. The bizarre “bfi0” in the subdomain suggested nothing official to differentiate it from phishing and malware-laden emails sent by scammers following such corporate data breaches; scammers often make subtle tweaks.

• Target should have known that customers are conditioned to not click on links in email messages, especially after a headline-grabbing security breach and with a questionable sender address.

• Many people who received that email—myself included—didn’t actually shop at Target during the compromised dates, which made the email appear even more like a scam.

• Because the notice was delivered via email and probably due to the fact that it originated from a suspicious email address the original message ended up in junk mail boxes. I only looked at the Target email because I was looking for a good example of a phishing email following a data breach.

But the gravest error by Target was to offer free credit monitoring. It may seem counterintuitive, but it has become a routine mistake companies make in the aftermath of a security breach that involves payment cards rather than Social Security numbers (SSNs). Though offering credit monitoring is usually an attempt to reassure consumers, this may instead give them a false sense of security and lead to more consumer blowback. Here’s why:

• Credit monitoring won’t help people impacted by a payment card breach. Credit monitoring is a service that is limited to looking at changes to your credit file. It looks for new creditors, credit accounts and key account changes, such as an address change, that have been reported to Experian, Equifax, or TransUnion. What credit monitoring does not do is monitor your existing credit accounts. So, if a Target customer enrolls in the credit monitoring solution provided by Target, that customer would not be alerted if an existing account—in this case credit cards and payment cards—was used fraudulently. The only way for Target customers to find out if an existing credit or payment card is misused is by monitoring their payment card accounts for suspicous activity. All suspicious activity should immediately be reported to their payment card issuer. While banks and card companies are aware of this incident, some customers of smaller financial institutions may think they are safe when they enroll in the credit monitoring only to find that their card has been maxed out at the end of the month.

• Were SSNs stolen? By most accounts, including Target’s, no SSN’s were exposed in this breach. Based on the nature of the breach and the very limited cicumstances that Target would have needed to collect SSNs, it is unlikley that the exposure of SSNs was part of the fact pattern here. This is important because without the exposure of a SSN, the creation of new credit lines and accounts, which creditors report to the credit bureaus and which then show up on an individual’s credit file(s), is incredible unlikely. So again, it begs the question: Why was a tool that doesn’t monitor the actual risk here offered when no SSNs were exposed and it simply won’t help? (See point 1)

• Even if credit monitoring were effective or called for here, one year of free credit monitoring often isn’t long enough. Even if SSNs were exposed in this breach, which they weren’t, organized thefts of information by criminal rings, as is likely the case here, create exposures that surpass one year. Organized rings often will know that a breach of information was disclosed. They are aware that people may place 90-day fraud alerts or be enrolled in a year of monitoring as a result. So what do they do? Well, they simply hold on to the information for a year. Since there is no expiration date on an SSN (until you expire, that is) customers may initially breathe a bit easier with a year of credit monitoring. But they shouldn’t assume that stolen information can’t be abused afterward. Identity thieves can simply sit on collected data until 2015 or later.

• The sign-up process for the monitoring offered is not consumer friendly by nature. Some providers of credit monitoring have a one-step process: You simply enroll and once you have been authenticated and signed up, your monitoring is active and no further steps are required. But the Target/Experian process involves a two-step enrollment process. So once you have been authenticated and signed up, you are then sent a verification email to enroll. Enrollment is only completed and active when you click on a link in the verification email, which often either a) winds up in a Spam folder and/or b) is forgotten by the consumer. The e-mail is then never clicked for activation and the consumer is left thinking they are enrolled in monitoring when, in fact, they are not. Regulators do not like this two-step sign-on proces for the very reason that so many consumers do not, by no fault of their own, end up getting enrolled. In fact even the Consumer Financial Protection Bureau director Richard Cordray mentioned this in a recent appearance on The Daily Show with Jon Stewart. While he was referencing monitoring and other services paid for by the consumer, he said, “What they don’t tell you is maybe there’s an extra step or two to actually get the product. Months later when you go to seek the protection, they say, ‘Oh you didn’t have it.’ That’s wrong. That’s totally unfair.” And when it comes to consumer protection by the Federal Trade Commission, CFPB, or even state offices of the Attorney General, the last thing you want to hear is the word “unfair” in relation to treatment of a consumer.

The bottom line: Credit monitoring can be useful when it’s an ongoing service and not presented as an easy fix to a problem it will not solve, which is the case with the Target breach. It shouldn’t be used as a replacement for careful consumer vigilance. This means regularly looking over your existing accounts and cards for suspicious activity and charges in addition to monitoring your actual credit files.

While Target management was likely following the advice of its counsel, business units, compliance folks and potentially even regulators, this breach is a good opportunity for companies large and small to rethink their ‘boilerplate’ approach to breach remediation in exchange for solutions and advice to consumers that fit the actual risks. It is also a good lesson in how communicate with the public and impacted consumers, or in the least, a lesson in how not to communicate and respond to a breach.

Eduard Goodman is chief privacy officer at IDentity Theft 911.
– See more at: http://www.idt911blog.com/2014/02/target-breach-how-to-lose-friends-and-alienate-customers/#sthash.kWn4cMFp.dpuf

ObamaCare Website Creating Credit Concerns

While a battle rages over technical issues on the ObamaCare online marketplace, questions are emerging about the safety of data on the website.

Better Qualified CEO Paul Oster said the website is rife with security problems that can lead to identity theft and potentially wreck one’s credit if exploited.

“We have been flooded with calls by people that are concerned about the threat because what’s going to happen is it could take years before someone realizes that they became a victim of identity theft – and then they have to figure out was it in fact because of the information they provided through healthcare.gov?”

Oster added that most websites have the ability to “flash” users if they left the website they intended to be on and are now entering another domain, especially when clicking different icons on the page. But as of now, healthcare.gov lacks that function.

“It’s called ‘pharming’ and what happens is these hackers are able to redirect people when they’re clicking from one part of the site to the next and the person doesn’t realize that they left healthcare.gov. There are no triggers and alerts.”

But Bill Curtis, SVP & Chief Scientist at CAST, said this is not uncommon and other hacks have been reported that are much larger than the exposure on healthcare.gov, including the one revealed in July where five Eastern European men stole 160 million credit cards over the course of seven years.

There was also the TJX incident earlier this year, when the parent company of T.J. Maxx and Marshalls had 40 million credit card numbers stolen in what’s believed to be one of the biggest such incidents in history.

“The TJX heist would be roughly the same size of the exposure if every uninsured American went to healthcare.gov and exposed their personal and credit card information.  So these types of security issues have already occurred at the same or even larger scale in industry.”

agen toto play toto 4d toto 5000 toto togel toto togel toto togel 10 situs togel terpercaya toto togel situs togel bandar colok bo togel deposit 5000 agen toto play situs togel