The Target data breach that became news on Thursday, December 19th had a significant impact on the Identity Theft Resource Center’s call center. Though not listed on the breach notification as a resource, concerned consumers still found their way to the ITRC as they sought out some third party insight into what this really means.
I Got a Breach Notice: What Do I Do?
The general consumer population has begun to realize that when they receive a data breach notification (by letter, email, text or media blitz), it holds significance, but they remain basically unsure of what to do in the aftermath.
It is important for consumers to understand that not all data is created equal. There are levels of risk based upon the type of data compromised. According to the statements made by Target, the data that has been breached is payment card data only. Not individual personal identifying information (PII). This means that the specific card that was compromised could be used to make fraudulent purchases, but they do not have the information necessary to open new accounts in your name. The key is that this is the current the state of the situation but, as more is revealed, it could change.
Right now consumers should react, but not panic. Act on the details that we currently have. Contact your financial institution or credit issuer and ask them what process you should employ to minimize your risk based upon the details that we have right now.
The Situation Changes
Even weeks later, the details are still surfacing and information will continue to come to light as the forensic analysis uncovers the depth and scope of the hack. Originally it was represented that account PINs were not compromised. At that time, the ITRC informed consumers that they should be changing PINs on a regular basis, and if they hadn’t changed their PIN in a while, it would be good time to do so. Now that we are aware that strongly encrypted PINS have been compromised, we are increasing the level of reaction and asking consumers to go ahead and change their PIN number as soon as they are able.
It must be noted that the PINs were encrypted and the encryption key, the tool that is necessary to decrypt the data, was not stored within Target’s computer systems. Therefore, it could not have been compromised and it is housed at the external payment processor.
Why Is This Breach So Important?
We have spoken with so many folks that have had such venom for Target and this breach. And while consumer outrage is more than justified, we wonder why there is such a strong reaction to this breach in particular. The ITRC has been tracking and reporting data breaches since 2005. During that time, we have captured 4,240 breaches in our Breach Report.
While Target will likely be the biggest breach for 2013, with 40 million debit and credit cards compromised, it isn’t the largest breach to date; Heartland Payment Systems still holds that honor with its breach in 2009 (130 million records). This is followed by TJX in 2007 (94 million records), Sony PlayStation in 2011 (77 million user names), the U.S. Military with 76 million records in 2009, and CardSystems back in 2005 with 40 million compromised accounts. Unfortunately, data breaches will continue in 2014, as the hackers continue to stay one step ahead of the security experts; after all, we captured more than 600 breaches in just this year alone!
Why then did it garner so much attention? The reality is that this breach received more attention since it was during the holidays, and because Target is an iconic brand. The one silver lining that we can identify from this breach is that it has heightened awareness of data breaches and in turn of identity theft risk factors for the average consumer. That was the question most frequently asked: I know that I am only one of millions of affected, but what does this really MEAN to me personally?
As we continue to get updates, the ITRC will continue to provide new tips and tools to the affected consumers.