How to deal with Target’s data breach
By Beth Pinsker and Mitch Lipka, Reuters
NEW YORK - The number of people affected by Target's data breach during the holiday season is now expected to be least 70 million, up from the company's original estimate of 40 million. That means many more people need to assess their credit and debit card security.
Late last year, Target reported that thieves stole cardholder names, card numbers and three-digit security codes between Nov. 27 and Dec. 15, and that information could be used at any point to commit fraud. Now the retailer says additional personal information was stolen, including email addresses and phone numbers.
"I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this," Target's chief executive, Gregg Steinhafel, said in a statement.
If you shopped at Target during that time period -- or at other times -- and are worried about your accounts, here are answers from experts on the most frequent questions:
Q: How did the hackers get phone numbers, street and email addresses? Is this kind of data included in store transactions?
A: Target is still investigating the incident, which is why the number of people affected and the scope of the breach keeps changing.
The information stored on the magnetic stripe on a credit or debit card will not pass along a home address or email address from an in-store swipe. But other cards may share additional info, like a store-brand credit card that requires the user to provide that data at sign-up.
If thieves have this information, it could also mean online purchases are affected, said Robert Siciliano, online security expert for Internet security company McAfee Inc. "There is certainly more to this story," he says.
Q: How do you know if your information is stolen?
A: It's impossible to know if your data has been stolen and if it might be used for fraud, but it is a growing problem and consumers need to be on alert. The number of people notified after a data breach that they were victimized by fraud rose by 340 percent between 2010 and 2012, according to a recent report from Javelin Strategy & Research.
Q: What should Target customers do?
A: At a minimum, customers who shopped at Target during the affected period with a debit card should change their PIN, the personal identification number. You can also request a new debit card from the issuer.
Credit card users can change passwords or ask for a new card, but that may be more trouble than it's worth and give a false sense of security because the new card is just as vulnerable.
"It is going to quite a hassle to update all of your subscriptions and services attached to that card," said Yaron Samid, chief executive of BillGuard, a company that offers a free service monitoring credit and debit cards for unusual activity. "The only way to protect yourself is to pay close attention to your credit card activity."
Target says it is offering one year of free credit monitoring and identity theft protection to all Target customers who shopped at U.S stores.
Target customers have three months to enroll in the program. The company says it will announce additional details next week.
Customers who have additional questions can call Target's hotline at 866-852-8680.
Q: What should all consumers do?
A: The first line of defense for all credit and debit card holders is to closely monitor your credit and debit card statements all the time, say security experts.
If charges are not disputed, a thief will know the information is valid, allowing the card to be used again illegally, said Yaron Samid, chief executive of BillGuard, a company that offers a free service monitoring credit and debit cards for unusual activity. Fraudulent charges are often small in scope, because thieves know they are less likely to be noticed.
If you dispute a charge on a credit card, the issuer will typically credit that amount back to you, and then investigate.
With debit cards, which have fewer protections against fraud, the bank will decide to investigate, then decide when and if to credit the amount back to your account.
The most aggressive action a consumer can take is to freeze their accounts, which restricts access to your credit report. That can stop account fraud cold when crooks apply for credit using your information, though lifting a credit freeze if you want to apply for a loan or a new credit card is a bit cumbersome. It involves a password-protected process and often carries a fee. It might take up to three days.
Q: How are consumers at further risk than just their debit card and PINs being stolen?
A: Any personal information stolen, like email addresses and phone numbers, could be used for other identity theft "phishing" attacks, where a criminal contacts a person looking for even more information and access to accounts.
In the Target data breach, piggyback attacks could come from scammers pretending to be banks or credit card issuers, asking you for even more information, particularly your Social Security number, warns Siciliano.
"The goal of the bad guy is always to get a credit card under your name -- to take one over or get a new one," said Siciliano.
The good news is that in order to do that, a thief needs your Social Security number, and Social Security information was not passed along in this breach, Siciliano notes. The bad news is that thieves will work during a long period of time to bait you for sensitive information, luring you in with what they already have stolen, he adds.
To combat this, he recommends identity theft protection for everyone, which some of the other companies he consults for sell. "Without it, you're a sitting duck," Siciliano said. (Follow us @ReutersMoney or at http://www.reuters.com/finance/personal-finance. Editing by Lauren Young and Leslie Adler)