Target Breach: 10 Facts

Experts advise consumers not to panic as suspicion falls on point-of-sale terminals used to scan credit cards.

6. Consumers: don't panic.
What should consumers who may have been affected by the data breach do next? "React, don't panic," Eva Velasquez, president and CEO of the Identity Theft Resource Center, said via phone. "Because we know that this is causing a lot of anxiety." On the upside, Target said that only card information -- and not people's personal information -- appears to have been stolen by attackers. "So now is the time to monitor statements very carefully," she said. "If you find any other evidence of fraudulent activity, obviously contact your financial institution."

One measure of people's panic is that Target's Redcard website and phone lines have been largely inaccessible since the company confirmed the breach Thursday. "We are working hard to resolve this issue by adding team member support and system capacity as quickly as possible. We apologize for the inconvenience and appreciate our guests' patience," Target spokesman Eric Hausman told the Minneapolis/St. Paul Business Journal Friday morning. In the meantime, the retailer is attempting to triage the outages by fielding customers' questions via Twitter.

7. Visa: we're investigating.
The Identity Theft Resource Center's Velasquez said that anyone who discovers fraud shouldn't have trouble getting help. "This is so big that if fraud is discovered on your card, it's not like your financial institutions are not going to know about this issue," she said.

{image 2}

Officials at Visa, for example, said Thursday that they're aware of the breach and have already begun working to mitigate any fallout, in part by working to distribute stolen card numbers to all affected issuers. "When such incidents occur, Visa works with the breached entity to provide card issuers with the compromised accounts so they can take steps to protect consumers through fraud monitoring and, if needed, reissuing cards," Visa said in an emailed statement. "Because of advanced fraud-monitoring capabilities, the incidence of fraud involving compromised accounts is actually rare, and Visa fraud rates remain near historic lows."

8. Watch fraud-reporting time limits.
Despite those assurances, anyone who might be a victim of the Target breach should beware card issuers' fraud-reporting windows. Different organizations, for example, may place 30-, 60-, or 90-day limits on when they'll accept a fraud notice, following a cardholder receiving their statement. Others, such as American Express, have no time limit for reporting fraud.

9. Debit card holders: call your bank immediately.
Debit card users should be especially vigilant. Credit card users won't be out of pocket if they suffer fraud and contest the charges, but the opposite is true for debit card holders since fraudulent transactions may take their bank balance to zero.

Accordingly, Velasquez recommended that any debit card users who might have been Target breach victims immediately contact their card issuers and ask for advice. "Tell them you're a victim of the Target breach," she said. To help combat fraud, different institutions offer different options, such as putting passwords on accounts or changing PIN codes. "But alerting your specific financial institution is really the way to go, because they all have different rules," she said.

10. Kudos to Target for coming clean quickly.
When it comes to information security, Target may have blown it. But according to Velasquez, the retailer does deserve credit for coming clean about the breach so quickly. "Four days? That's lightning speed," she said. "I think they deserve at least a few points for taking the hit and alerting their consumers ahead of time, and not trying to push it off until after the Christmas sales."

Compare the speed of Target's notification, for example, to the recent breach at JP Morgan Chase, for which the financial institution didn't issue an alert for more than two months. Or take the breach of the Washington State court system, which was publicly revealed in May 2013 after being detected in February. But state officials don't actually known when the breach occurred, saying they'd narrowed the window only to sometime since September 2012 and before February 2013.

There's no such thing as perfection when it comes to software applications, but organizations should make every effort to ensure that their developers do everything in their power to get as close as possible. This Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, examines the challenges of finding and remediating bugs in applications that are growing in complexity and number, and recommends tools and best practices for weaving vulnerability management into the development process from the very beginning. (Free registration required.)