This is the second part of a three part series regarding the recent Target data breach incident. In Part I, we actually expressed appreciation for some of the positive outcomes of this data breach.
Primarily the fact that it captured national attention from a broad cross section of consumers. This is positive because consumer engagement in this area is not widespread and any activity that causes consumers to take a more active role in this conversation is valuable.The ITRC call center received hundreds of calls when the information first became public. One area of confusion was continually brought to our attention: People simply did not understand what the true effect and real risk was regarding that data that was compromised. Frankly, it boiled down to: I am a victim of the Target data breach – what does that mean? Many consumers were under the impression that the compromised data included information which could be used to obtain NEW lines of credit and/or open new accounts in the consumer’s name. This is inaccurate.
According to Target, the information that was breached was “payment information”: The specific card (debit or credit) that was used for payment at a Target location, during the affected time period. This included information housed on the magnetic strip of the card, and encrypted pin numbers (for debit cards). To date, Target has not reported that any other Personal identifying information (PII); including Social Security numbers was compromised. Social Security numbers, a key component in allowing identity thieves to open new lines of credit in your name, are not contained on the magnetic strip.
It is true thieves could take the compromised data and use it to “socially engineer” other information about you, in the hopes they might discover enough to uncover the PII needed to steal your identity. This does require some effort. Generally, you would have to be an attractive (i.e. wealthy, public figure, or high profile) individual to warrant such effort. This is usually not the case with the average consumer. So while it is possible for this to occur, the likelihood that it will happen is quite small.
The risk to individuals whose data was compromised in the Target data breach is simply this: The compromised account could be used by someone other than the owner of the account to purchase goods or services. The recommendation to check the activity on these accounts is solid advice. The suggestion to close accounts, request new cards, and change PIN numbers (now that we are aware that encrypted PINS were compromised), is also accurate advice. These actions will stop the compromised data from being used, and therefore render it of little value.
Checking credit reports, as a response to this particular breach, is simply ineffective. It’s important to make it clear that in this particular case, checking your credit reports will have zero effect on minimizing the risks associated with this exposure. Checking your credit report is always a good idea, and the ITRC encourages consumers to do so on a regular basis. By all means, check your report and ensure that there is no erroneous or fraudulent activity or information on it. Regularly reviewing your credit report will minimize the amount of damage a thief can do because you will catch the activity earlier. There is a direct inverse correlation between the date of discovery of identity theft and the level of difficulty in resolving the issue. Just realize this action will not minimize your risk of becoming a victim of identity theft, it only minimizes the amount of damage a thief can perpetrate. In regard to the Target data breach incident, checking your credit report (based upon the information disclosed by Target at this time) will not minimize your risk of having the compromised card numbers used to purchase goods or services.
The high level of confusion among consumers only serves to highlight the importance of ensuring that the general public realizes that the level of risk varies depending on the type of breach that has occurred. The “risk of harm”, or type of future risk to victims of a data breach, is dependent upon the type of data that was compromised. Indeed, not all breaches are created equal. There are many variables to consider because most breaches involve complex and technologically advanced systems. It should be noted that it is not only the type of data which is breached that helps to define the potential damage, but consumers’ online practices (and offline behaviors to a lesser degree) that increase risk as well.
For example, a breach of usernames and passwords for an online, non-financial account may have little effect on Consumer A because they actively follow best practices to minimize their risk, but it could have a devastating effect on Consumer B because they don’t. Consumer A regularly checks privacy settings and keeps them on the strictest setting, and uses different passwords for different accounts. Consumer B, who keeps their social media profiles public, and uses the same password for ALL accounts, including their banking site, could easily be compromised. The savvy identity thief can easily discover what Consumer B’s email address is, and log-in to other accounts because the consumer uses the same password for everything. The thief then gains access to financial accounts by using the same log-in and password information.
It is up to the business industry to ensure that they are following best practices and have the most up-to-date and robust systems/mechanisms in place to thwart the thieves. But consumers need to be aware of the role they CAN play in their individual safety. Then they need to take those steps and employ those strategies. While this will still won’t guarantee someone will not become a victim of identity theft, it can help to lessen the chances and the damage if it does occur.
"Why I Want to Say Thank You to Target (Part 2 of a 3 Part Series)" was written by Eva Velasquez. Eva is the CEO/President of the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.