On Friday, Target updatd details about the retailer's recent data breach. More people were affected and more data was stolen than first announced. The updated total includes 70 million persons affected, up from 40 million. More data was stolen, including names, mailing addresses, phone numbers, and e-mail addresses:
"As part of Target’s ongoing forensic investigation, it has been determined that certain guest information—separate from the payment card data previously disclosed—was taken from Target. This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals."
The retailer also announced the closing of eight stores in the United States. The following stores will close on May 3, 2014:
- West Dundee, Illinois
- Las Vegas
- North Las Vegas
- Duluth, Georgia
- Memphis, Tennessee
- Orange Park, Florida
- Middletown, Ohio
- Trotwood, Ohio
The additional data stolen makes the information stolen during the breach more valuable. the stolen data is simply more useful by identity thieves , spammers, and fraudsters. It also means that breach victims will probably experience spam and phishing attacks via e-mail and/or telephone spam. I've reported in this blog about many types of phishing attacks, including the fake Microsoft affiliate phone scam.
Also on Friday, the Better Business Bureau (BBB) warned consumers and Target breach victims to be alert for scams:
"Be on the lookout for scammers pretending to be Target or your banking institution. Prepare to get fake phone calls, emails and letters in the mail. They may ask for your personal information and direct you to click on links. The correspondence may look official, but do not respond. If you receive a phone call from someone claiming to be from your bank stating you've been affected by the Target hack, hang up. Then call the bank number on your credit card to confirm if you are actually a victim. If you receive an email claiming to be from Target, do not reply back. Instead go to Target.com/databreach. You can also contact Target’s victim hotline at 866-852-8680."
A fake Target data breach notification is already circulating on the Internet.
The New York State Attorney General, Eric T. Schneiderman, offered several tips for shoppers affected by the Target breach. Those tips include advice for shoppers considering Target's free credit monitoring offer, and how breach victims can protect themselves and their personal information.
In related news, several banks in Alaska are scrambling to reissue credit and debit cards to cardholders affected by the Target breach:
"Denali Alaskan Federal Credit Union said more than 2,200 debit and credit cards it issued were affected by the breach. About 2,000 cardholders were affected at First National Bank Alaska, and almost 1,100 customers of Alaska-based Northrim Bank were affected."
I expect we'll hear a lot more news in the coming weeks about banks reissuing cards for their cardholders. Somebody will pay for this, as T.J. Maxx learned.
As I warned in a prior blog post, any retailer or company cannot know the scope and extent of a data breach until after its breach investigation is completed. I am not surprised at all that the retailer increased both the number of shoppers affected and that data elements stolen. With this latest breach update and with Target offering free credit monitoring to breach victims, the retailer's tagline applies in several ways: "Expect more. Pay less."
This story is far from over.