Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Target Mocks, Not Helps, Its Data Breach Victims
Threaded  |  Newest First  |  Oldest First
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Ninja
1/22/2014 | 4:46:28 PM
Credit monitoring
The whole notion of credit monitoring as a service is offensive because it shifts responsibility for data integrity from the data gather to the consumer. If you're going to compile data, you should be obligated to maintain it and represent it accurately.
dak3
50%
50%
dak3,
User Rank: Moderator
1/22/2014 | 5:16:25 PM
Re: Credit monitoring
In fact, Target has already offered all of its customers a year of free credit monitoring. And I, for one, applaud their action in attempting to help educate the vast number of consumers who have no clue about security - how can that be a bad thing?
Mathew
100%
0%
Mathew,
User Rank: Apprentice
1/23/2014 | 5:31:12 AM
Re: Credit monitoring
Agreed. Even better would be allowing data breach victims to bill the offending party -- at a suitably high hourly rate -- for the time that they (or better, a designated third party) have to spend cleaning up the mess. 

ID theft monitoring is watching for criminals putting your stolen card details to use. Had the breached business properly safeguarded that information, customers wouldn't be stuck with having to watch for fraud -- through no fault of their own.

And it's a reminder to never, ever use a debit card except in an ATM, if you can help it.
Marilyn Cohodas
0%
100%
Marilyn Cohodas,
User Rank: Strategist
1/23/2014 | 8:45:41 AM
Re: Credit monitoring
There is nothing wrong with Target educating users about best security security practices. But how about Target educating retailers about the lessons they learned about how they got hacked in the first place. That would require a level of transparency that is rare in the industry.
RobPreston
50%
50%
RobPreston,
User Rank: Apprentice
1/23/2014 | 9:42:04 AM
Re: Credit monitoring
Security education is all well and good -- to argue against it is like arguing against teaching kids math and science. But it misses the point here. Target needs to take full responsibility for the breach and ensure that it will never happen again -- through better technology, practices...and customer, partner, and employee education. Spare us the PR campaign. 
Drew Conry-Murray
100%
0%
Drew Conry-Murray,
User Rank: Ninja
1/23/2014 | 10:03:50 AM
Re: Credit monitoring
I shopped at Target during the period of the breach, and my bank issued me a new card. I was thinking of taking up Target on its offer of the free credit monitoring, but I was just looking at the site and saw that I need to give Experian (the company that will monitor my credit) with my social security number. That bothers me, because I don't really trust Experian to keep my information safe.

Just curious to get some opinions on whether the credit monitoring is worth it in exchange for my SS#.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/23/2014 | 12:18:50 PM
Re: Credit monitoring
Well based on what Brian Krebs reported last fall -- that  an identity theft service that sold SS and drivers license numbers purchased much of its data from Experian -- I wouldn't be too eager to share that information. 
JBonfield
50%
50%
JBonfield,
User Rank: Apprentice
1/23/2014 | 1:30:45 PM
Re: Credit monitoring
Regarding Target educating anyone- They first need to get their own house in order and be able to really make their customers, partners, employees feel secure spending their money in the stores.

As of right now, I refuse to go to Target as I do not know how it happened to begin with, and whether or not they have fixed their security system enough to keep it from happening again.

I think security teams and companies who have fixed issues like this, and the hackers that have been caught need to be out there educating the businesses on what might happen, what could happen, and how to keep it from ruining their business.
jgstoddart
50%
50%
jgstoddart,
User Rank: Apprentice
1/25/2014 | 12:37:20 PM
Re: Credit monitoring
I agree with Thomas 100%, responsibility is a big part of the issue. Data breaches should cost the company something (other then a hit to their reputation), there should be compensation to all persons affected by this. Only then will companies take notice, in the wallet thats where it hurts...

Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/28/2014 | 11:01:41 AM
Data Breach Costs
Data breaches do cost a lot of money, beyond the damage to a company's reputations. In fact, The Poneman Instititute and Symantic have been benchmarking worldwide costs of data breach for the past eight years. In its May 2013 report,  for example, researchers reported that German and US companies experienced the most costly data breaches at $199 and $189 per record at a total cost of $5.4 million in the US and $4.8 million in Germany.

Clearly. organizations must consider these losses as a standard cost of doing business. Otherwise they would be more proactively investing in systems and policies that help avoid them. 

 
jgstoddart
50%
50%
jgstoddart,
User Rank: Apprentice
1/28/2014 | 1:30:49 PM
Re: Data Breach Costs
The cost I meant was for the company to have to pay all those affected by the breach..

Kristin Burnham
50%
50%
Kristin Burnham,
User Rank: Apprentice
1/22/2014 | 7:53:14 PM
Ideas?
Readers -- what would you have rather seen Target do?
JeniferS511
100%
0%
JeniferS511,
User Rank: Apprentice
1/23/2014 | 2:07:46 PM
Re: Ideas?
There are a lot of things I think Target couldv'e done differently to alleviate the frustration of its consumers. 1) Instead of waiting at least 4 days after discovering the breach and allowing another news source to break the breach, Target should have immediately released the news. 2) At the time that they knew the breach had occured all of their Red Cards (debit and Credit) should have been cancelled and new cards should have been issued. All banks should've been immediatly notified. 3) Target should've been specific into how this security breach occurred. It's been nearly 3 months after the timeline they gave for the breach and it is only coming to light now that they had malware installed on their server. Along with being specific on how it occurred, their should've been specifcs on they fixed it. Just saying it's been taken care of doesn't instill confidence that the problem has actually been tcorrected. 4) Although we all should be checking credit reports yearly, placing the onus back on us to make sure we aren't the victim of fraud when it was their fault that our information was stolen in the first place is not a good way to do business. You are essentially saying that if our information is used then it was our fault for not being deligent enough to stop it. No one has pointed out that all of the information that was stolen has been carved up and is currently being sold on black markets based on regional information. So if you live in S. Ca your information that was stolen is going to be sold to someone in S. Ca, this way if they use the stolen numbers it doesn't raise flags immediately because this is the area that you do your shopping in anyway. The other issue is that it could take months or even years to go through the millions of numbers that were stolen, so yes it is good that Target is giving you a free year, but it could be a year and half or 2 years before a theif might come across your number to use it if it is still available. Bottomline, Target was not proactive in reporting, containing, and solving the problem. It is the handling of the breach that has caused me to forgoe shopping with them, not the breach itself.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
1/24/2014 | 10:31:26 AM
Re: Ideas?
[Target] is essentially saying that if our information is used then it was our fault for not being deligent enough to stop it. 

Couldn't agree more, JeniferS511. There is definitely something wrong with that picture. 
rradina
100%
0%
rradina,
User Rank: Apprentice
1/23/2014 | 2:21:47 PM
Re: Ideas?
My greatest concern is that this will be swept under the rug and those responsible for bad decisions will not be held accountable.  Therefore I'd like Target to:

1)  Come clean and provide a complete description of exactly what happened

2)  Provide full disclosure regarding their PCI internal and external audits -- including the external auditor's name

3)  Provide internal Target staff the ability to anonymously voice past and present PCI concerns.  I'd like to know if folks on the inside repeatedly warned of risks that were never addressed and know what's being done to address them and if there are any that still aren't being addressed.

4)  Cover all costs banks incur issuing new cards and covering fraud.

5)  Cover all government costs incurred helping them figure out what happened.

6)  Provide free legal help to anyone who experiences trouble with identity theft or creditors and cover their losses @ 120%.  If that's handled through a third party, fine, but I shouldn't have to lift a finger to start the service.  You sent me an e-mail apologizing.  You can send me an e-mail stating that you've activated a service on my behalf.  WHY DO I HAVE TO SIGN UP AND PROVIDE MY CREDIT CARD! Target needs to give them a purchase order number!  I have no desire to have some B.S. auto-renewed plan that I have to fight to get cancelled a year from now.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/24/2014 | 10:27:04 AM
Re: Ideas?
Great list, @rradina. I won't hold my breath about Target providing a complete disclosure regarding their PCI internal and external audits but I too would like to know if Target employees complained about system problems. If so, Target could have addressed the issue earlier and saved many more shoppers from having their personal data compromised. 
BobH088
50%
50%
BobH088,
User Rank: Apprentice
1/23/2014 | 9:29:11 AM
data loss solution
One of the most common causes of data getting in the wrong hands is the loss of mobile devices that often contain a frightening amount of private information. I want to share a protection option that worked for me. Tracer tags let someone who finds your lost stuff contact you directly without exposing your private information.  I use them on almost everything I take when I travel after one of the tags was responsible for getting my lost laptop returned to me in Rome one time. You can get them at mystufflostandfound.com
JBonfield
50%
50%
JBonfield,
User Rank: Apprentice
1/23/2014 | 1:25:11 PM
Target Info Breach- Target not helping anyone but themselves
Our accounts are affected, our lives turned upside down for various amounts of time (week, month, months, year) depending on the situation. For me, it was two weeks of being inconvenienced, and now another two weeks of my bills being held up and held back, and eventually an onslaught of bil payments ripping through my account. I get to live on peanuts for the next week, which would not have been the case had my account not been compromised.

What do we get for the lack of security on behalf of Target? We get a free year of credit monitoring. What does this include? NOTHING other than being able to see what is already happened, and how it affects your credit.

In order to get credit reports along with the monitoring or any kind of real service out of the deal, you have to submit a credit card and pay!

Isnt that what got us in this mess in the first place?

I personally agree with some of the states that are filing class-action suits against Target on this issue. I am praying that my own state does as well, or there is some way for me to be included in any of the other ones.

I have sworn off Target for the time being. I do not forsee my shopping there anytime soon. I have plenty of other stores to go to where my information was not breached.

Thanks Target!

Jonie Bonfield, Madison, WI
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/28/2014 | 10:07:57 PM
Re: Target Info Breach- Target not helping anyone but themselves
FWIW, Target has already been attacked and beefed up their security since.  It's probably safer right now to shop at Target than their competitors.  (Esp. considering the recent Neiman Marcus attack.)
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/29/2014 | 8:58:15 AM
Re: Target Info Breach- Target not helping anyone but themselves
I have to agree with you Joe, that it (sadly) is probably safer to shop at Target today than it was a few months ago, before the breach. Same theory as flying on an airplane after a crash. The security will never be higher than in the days and weeks after a disaster. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/29/2014 | 11:10:06 PM
Re: Target Info Breach- Target not helping anyone but themselves
Of course, Marilyn, then it becomes a little like game theory.  Next thing we know, we'll see a major breach like this...and then another (exceedingly well-planned and executed, with perhaps inside help) breacon on the same company in the wake of it well into the remediation process.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/28/2014 | 10:05:45 PM
Class actions
More likely than a nonprofit, the bulk of class action money not going to lawyers will probably wind up in the hands of states' coffers (as state AGs go after the company).  I don't see Target money going to a nonprofit as part of a settlement as a foregone conclusion.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Is Zero Trust the Best Answer to the COVID-19 Lockdown?
Dan Blum, Cybersecurity & Risk Management Strategist,  5/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13485
PUBLISHED: 2020-05-25
The Knock Knock plugin before 1.2.8 for Craft CMS allows IP Whitelist bypass via an X-Forwarded-For HTTP header.
CVE-2020-13486
PUBLISHED: 2020-05-25
The Knock Knock plugin before 1.2.8 for Craft CMS allows malicious redirection.
CVE-2020-13482
PUBLISHED: 2020-05-25
EM-HTTP-Request 1.1.5 uses the library eventmachine in an insecure way that allows an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified.
CVE-2020-13458
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There are CSRF issues with the log-clear controller action.
CVE-2020-13459
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There is stored XSS in the Bulk Resize action.