The following information is based on recent statements and
notifications released by Target
New Alert: E-Mail Offers Gift Card, 1/22/2014
Important Note: This information was not disseminated directly from Target.
This alert was recently brought to the ITRC's attention courtesy of San Diego's ABC 10 News and Don't Waste Your Money's John Matarese.
Target has announced they will offer free credit monitoring services through Experian's ProtectMyID program to customers who shopped at Target stores in the U.S. during the time period of the breach. Those who enroll will receive free credit monitoring as well as other services for 12 months. For more information on how to apply, please read Target's information page on this offering located on their website. CLICK HERE
As part of Target’s ongoing forensic investigation, it has been determined that certain guest information—separate from the payment card data previously disclosed—was taken from Target. This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.
Guests will have zero liability for the cost of any fraudulent charges arising from the breach. To provide further peace of mind, Target is offering one year of free credit monitoring and identity theft protection to all Target guests who shopped our U.S stores. Guests will have three months to enroll in the program. Additional details will be shared next week.
ITRC - What does this mean?
While this new information may give more consumers cause for concern, in reality the exposure of names, mailing addresses, phone number or emails does not pose a significant "risk of harm". At this point, it is important for consumers to remember that there has been no indication that Social Security numbers have been compromised, therefore minimizing the potential risk of actual identity theft. Please note that the ITRC will continue to monitor communications from Target while they conduct further forensic analysis.
Also, while the additional information may help identity thieves develop profiles on individuals and use it to "socially engineer" other information about you, you would generally have to be an attractive (i.e. wealthy, public figure, or high profile) individual to warrant such effort.
The information below remains current as to the necessary actions which should be taken by consumers who may have received a breach notification.
Target Statement, Update 12/27/2013:
"We remain confident that PIN numbers are safe and secure," said a statement issued Friday by Target spokeswoman Molly Snyder.
According to the company, Target does not have access to or store the encryption key within the company's computer systems. The data can only be decrypted when it is received by the company's external payment processor, Target said.
"What this means is that the 'key' necessary to decrypt that data has never existed within Target's system and could not have been taken during this incident," the company said, adding "the most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken."
Although this latest statement explains that the encrypted data could not be unencrypted, more details continue to surface. As a precautionary measure the ITRC is recommending that victims of this breach take the opportunity to change existing PIN numbers with their financial institution/bank as a precaution. It is always a good practice to think of a PIN number like a password and change both of them on a regular basis.
What we Know:
• Unauthorized access of payment card data (credit or debit card) occurred on purchases made in U.S. stores between November 27 and December 15, 2013.
• Payment information included customer name, credit or debit card number, card expiration date, and CVV (the three-digit security code).
• Social Security numbers and PIN numbers have not been compromised.
• This access did not involve online purchases.
• Target will be offering free credit monitoring to those affected.
What this means to you:
• A compromise of payment information means that an unauthorized person(s) now has access to this information and could potentially use this information to make fraudulent purchases on the account(s) that were used when you shopped at Target.
• Social Security numbers were not compromised: This is a key component required in order for thieves to be able to open fraudulent new lines of credit in your name. Since these were not compromised, they cannot open new lines of credit in your name.
• PIN numbers were not compromised. This means that if you used a debit card, the unauthorized person(s) do not have the PIN number and therefore cannot use the card at an ATM for cash. If your debit card has a Visa or MasterCard logo on it, then the card number could be used to make credit card purchases.
• Target will be offering free credit monitoring services. Credit monitoring can be helpful when the information that can be used to open new lines of credit has been compromised. Since this is not the case with the Target breach, this action will not be useful in preventing fraudulent charges on the existing account that was compromised.
What you can do:
• Monitor your credit and bank statements closely and look for any unauthorized activity. Review each item, and keep an eye out for small dollar transactions, including amounts as small as 99 cents.
• If you notice any fraudulent charges on your credit card or debit card, contact your financial institution (bank or credit card issuer) immediately. Inform them that the charges are fraudulent and they will walk you through their remediation process. Each financial institution has a different process.
If Target is the credit card issuer:
• Monitor your statements for fraudulent activity. If possible, go online and monitor the accounts as often as possible.
• If you discover fraudulent charges, you will have to notify Target directly. Please be patient. Many people are attempting to contact Target all at once. If you are unable to get through (as many people have been experiencing difficulty), continue to note the fraudulent charges and monitor the statements. Keep trying to get through to Target. Understand you will not be held liable for these charges, even if you are not able to get through right away.
If you used a Target REDCard:
• You don’t need to call Target unless you believe there are suspicious charges to your Target REDcard.
• Target already has fraud alerts in place and is actively monitoring REDcard accounts that may have been impacted. The banks that issue non-Target credit and debit cards also have been notified and have similar processes in place. You too, should keep a close watch on your account by reviewing your credit or debit card statements.
• You should call your card’s issuing bank if you discover any suspicious, unusual or fraudulent activity.
Why do you keep telling me to contact my financial institution?
• The banks are well aware of this situation and many have taken additional steps to ensure that their customers are not victims of fraud. The banks have sophisticated fraud monitoring tools in place and many have implemented additional protocols based upon the breach.
• Once you notify your bank of any fraudulent charges, you will not be held liable for those charges. It is important that you contact your financial institution as quickly as possible once you notice any fraudulent activity. In most cases, you have limited time available to report the fraud. Target has indicated that victims will "absolutely not" be held liable for fraudulent charges.
Beware of scammers impersonating Target
• Whenever there is an issue that affects large numbers of consumers, the shady scammers will come out of the woodwork. Scammers (not necessarily those who gained the unauthorized access) will undoubtedly try to victimize consumers by contacting them and saying they are from Target. This contact could come in the form of an email, a text, or even a phone call.
• If you receive an email that appears to be from Target that asks you for any personal information, such as your Social Security number, do NOT provide it. Rather than click on any links in an email or text, go directly to the website you need access to by typing the website URL into your browser. This will help to ensure that you are interacting with the actual entity.
If you receive a phone call from someone reporting to be from Target, do not give out any personal information over the phone. Hang up and call the number on the back of your Target card, or the number that Target has posted on its official website.
The Identity Theft Resource Center® (ITRC) is in no way affiliated, associated, authorized, endorsed by, or in any way officially connected with Target Corporation. All information pertaining to this breach is taken from Target Corporation’s breach notices available to the general public. The original notices are A message from CEO Gregg Steinhafel about Target’s payment card issues and Target’s Payment Card Issue FAQ. All tips and recommendations are based solely on the information that Target Corporation has released to the public. All tips and recommendations are solely the opinion of the ITRC and do not reflect Target Corporation’s opinion or instructions to affected consumers.