The Target payment card breach that affected 40 million Target shoppers continues to evolve, most recently with news on Christmas Eve that various email scams are evolving that take advantage of consumer fear (social engineering). Unlike many other data breaches, where cardholders were not affected immediately or at all, the hackers involved in this breach have been selling card information on the black market and consumers are reporting fraudulent charges. Credit card fraud is one of several types of identity theft.
The email scams, which pretend to help victims recover from the Target breach, have been characterized as phishing scams, where victims may be requested to provide personal information, in addition to the affected credit card detail, such as a date of birth and Social Security number. Armed with one’s name, date of birth, and Social Security number, a thief can commit other more severe types of identity theft beyond using the credit card involved in the Target payment card breach.
There is too much conjecture and opinion in the media about how this data breach incident occurred, what could have been done to prevent the data breach, and what the consequences are now and in the future. The truth will be known when Target and Federal Law Enforcement complete their investigations and factual data emerges. In the interim, Target has set up an Official Website that provides information to assist consumers with their concerns, that provides a list of official Target communications to help consumers discern between email scams and official Target communications, and that offers free credit monitoring to victims.
Credit monitoring alerts consumers when changes are made to their credit history maintained by one of the three major credit reporting agencies: Equifax, Experian, and Transunion. Major alerts are issued to the consumer when there is a new credit application, a new credit or loan account is opened, when there is a late payment on an existing account, when a delinquent account is turned over to a collection agency, or when a bankruptcy is filed.
The misuse of an existing credit card, like the cards compromised in the Target data breach, would not result in a credit monitoring alert. However, victims can monitor for misuse of the card they used at Target during the breach period of November 27 through December 15 by reviewing their credit or debit accounts online or the monthly paper statement.
The information stored on the credit card magnetic strip, which was compromised in the data breach, does not contain the cardholder’s date of birth or Social Security number, so there is no risk that one of the more pernicious types of identity theft could occur.
However, the Target email phishing scams, which have been reported in the last day, may result in uninformed victims of the Target breach as well as other uninformed consumers who have not shopped at target, to turn over their date of birth and Social Security number to miscreants who will use that information to commit identity theft and fraud. Credit monitoring would be useful to detect if these identity thieves are applying for new credit by using the name, date of birth and Social Security number of victims.
Although consumer victims involved in the Target breach have zero liability for fraudulent transactions especially when they are reported promptly to the credit or debit card issuer, these fraudulent transactions may cause unnecessary inconveniences and stress for consumers. Consumers should do whatever possible to avoid becoming a victim of identity theft and to terminate any known or suspected fraud as quickly as possible in order to avoid further complications, inconveniences and post traumatic stress syndrome.
Recently we reviewed premium identity protection services that go beyond credit monitoring and include a variety of other services to help prevent identity theft in the 21st Century. One such service monitors the thousands of black market chat rooms and websites on the Internet where identity thieves, hackers, and crooks sell and trade account information such as those black market Websites where the account information stolen from Target are currently being sold.
Services of this type provide an alert to the consumer when their account number is detected for sale on the black market Websites and chat rooms. An Internet “web watching” service of this type combined with credit monitoring is a more effective alert system when a consumer credit or debit card is involved in a data breach.
The best offense against identity theft today, regardless if it is data security concerns about the HealthCare.gov Website, data breaches such as Target’s, or a stolen wallet or purse, is to purchase comprehensive identity theft protection.