Situation for Target got from bad to worse over the weekend during the ongoing forensic investigation. New information came to light in this investigation, and Target has provided an update saying the intruders have also stolen , “certain guest information—separate from the payment card data previously disclosed—“. Please note that this is not a new breach but new information uncovered from the existing one last year December.
They say that the stolen information consists of names, mailing addresses, phone numbers and email addresses of up to 70 million customers. “This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals“, says Target in their official statement.
Target unfortunately now happens to be one of those companies that had 100 million or more records and information compromised in the data breaches. Target has not yet revealed as to what exactly this “guest information” might be. NakedSecurity by Sophos, is of the opinion that this “guest information” is worse and more significant that the 40 million data breach uncovered at first because the “guest information” might not just be related to the customers who visited Target during the November – December timeframe but even others who may have interacted with the company in any way.
Target will be emailing as many affected customers possible to provide more information, besides “including tips to guard against consumer scams“. They obviosuly won’t be asking the customers to share any information in the communication. Gregg Steinhafel, Targets chairman, president and chief executive officer apologized to the customers saying, “I know that it is frustrating for our guests to learn that this information was taken and we are sorry they are having to endure this, Our guests expect more from us and deserve better. And I want them to know that understanding and sharing the facts is important to me and the entire Target team.” And also reiterated the fact that customers will have “zero liability for the cost of any fraudulent charges arising from the breach“. Also, Target will offer “free credit monitoring and identity theft protection”.
They have set up the website (Link no more active as of 11th April 2015) for Free Credit Monitoring for one year, where they also request the users to be cautious against any calls or emails that may appear to provide the same. Customers are required to sign up on the website itself, where they have until April 23, 2014 to sign up to receive an activation code. They will receive confirmation within 1-5 days. And there is website available to guide the users on how to enroll.
Brian Krebs of Krebsonsecurity, who was in fact the first to break the story back in December, explains why Target is offering credit monitoring to affected customers. Krebs says people usually combine or confuse credit card fraud with identity theft, and providing a service similar such as credit monitoring is what any company usually does post data breach as compensation and apology.
The First data breach at Target
Target was yet another victim of the security attack last year wherein hackers had stolen information of about 40 million customers. The information involved the credit card and debit card numbers of people who had shopped at Targets US retail store. The breach had taken place between November 27 and December 15, 2013, 29th November being the Black Friday. According to Krebs sources, Two different credit card issuers said the breach “extends nationwide” (the US), and the data stored in the magnetic strip of the cards used at the store was stolen.
Target is the second-largest discount retailer in the United States after Walmart. They have for now made available the data breach related FAQs and other information on their official page.