Between November 27 and December 15 of 2013, as many as 70 million people nationwide fell victim to the infamous Target data breach. Of those people, an estimated 1.2 million were North Carolinians. Customer names, credit and debit card numbers, card expiration dates, and the embedded codes on the cards’ magnetic strips reportedly were stolen by an unknown third party. It has recently been discovered that mailing addresses, phone numbers, and e-mail addresses were also compromised.
Target claims that it was made aware of the hacking on December 15, and while the company has been forthcoming with most information, it has not disclosed exactly how the breach occurred or who is responsible. The problem has reportedly been fixed, and Target representatives say the company is working to prevent future problems.
Target is also offering a free year of credit monitoring and identity theft protection to all customers who shopped at U.S. stores.
In an effort to prevent future scams, Target has advised customers to check their bank statements carefully after making purchases and to report any suspicious charges to their credit card companies, as well as to Target. Target is also offering a free year of credit monitoring and identity theft protection to all customers who shopped at U.S. stores during the three-week period.
While it appears that Target is taking some preventative measures, some complain that Target is not doing enough. “I think they need to publicly confirm that there is an investigation, because consumers have been left in the dark and the cold when it comes to protection against identity theft and fraud from this massive disclosure,” said Connecticut Senator Richard Blumenthal to The Hill.
Currently, aside from the HealthCare.gov law, there is no sweeping legislation that requires companies to notify consumers in the event of hacking.
Blumenthal addresses the same concern that many Americans have: will this happen again, and will consumers be notified sooner if it does? For some victims of the scam, it took three weeks before they even realized that their bank accounts and credit cards had been hijacked. This is an issue that legislators nationwide are working diligently to address.
For example, since the Target scam, a bipartisan coalition in the House of Representatives has approved a measure that will require the government to notify consumers in the event of a data breach involving HealthCare.gov. The Department of Health and Human Services will have two days, following such an attack, to contact every American with insurance coverage connected to the system.
This is undoubtedly a step in the right direction, but it still leaves victims of other types of data breaches without immediate notification and/or relief. Currently, aside from the HealthCare.gov law, there is no sweeping legislation that requires companies to notify consumers in the event of hacking. Credit card transactions are a big part of large scams such as Target’s—which involved in-store purchases—but with social media and online transactions becoming more popular, more opportunities exist for people’s private information to be compromised.
Following the Target breach, Senator Deb Fischer of Nebraska wrote to the leaders of the Senate Commerce Committee, on which she sits, urging the panel to explore the possibility of new data security law. It is possible that something is in the works, but there does not seem to be any urgency to put anything into action. Senator Fischer’s concern is not without merit: it stems not only from Target’s recent breach, but also a data breach on the mobile application Snapchat.
Late in December of 2013, a hacker published a database allegedly containing 4.6 million Snapchat user names and phone numbers. Unlike Target, Snapchat makers did not respond to requests for comment by the media, nor has the company made any statement regarding the incident. Users of the mobile application have been left with no information regarding how the breach occurred or if they are at risk of a similar event in the future.
“It just doesn’t seem to take a lot to figure out how to bypass the protections they have in place,” said Robbie Trencheny, an Oakland app developer who helped create GS Lookup, a web tool to help Snapchat users check to see if their own user names or phone numbers were leaked during the breach.
“Still, this exploit isn’t as bad as it could have been,” said author and consumer privacy expert Bob Sullivan. “These aren’t credit card numbers and these aren’t social security numbers.”
While Target was forthcoming with information and apologized to consumers, the company was not forced to do so.
Unfortunately, the same cannot be said for Target. Much more private information was leaked and nearly one-fourth of the American population was affected. While Target was forthcoming with information and apologized to consumers, the company was not forced to do so. More and more legislators now believe that companies such as Target and Snapchat should be required by law to tell customers when their data has been leaked.
Proposals to create new legislation requiring data breach notification have been met with little support at the federal level; conversely, a number of state-level regulations currently exist and operate as the framework for future legislation. California, for example, is at the forefront of data breach regulation. The state implemented a law in 2002 that currently serves as the model for data breach laws in other jurisdictions. The detailed legislation protects consumers’ private data from misuse by businesses and third parties who illegally obtain the data.
With the Target and Snapchat breaches currently in the news, it has become clear that the legislation failed to address a few important matters.
California’s law certainly was ahead of its time when it was drafted and addressed issues that recently have become pressing. The Target and Snapchat breaches, however, make it clear that the legislation failed to address a few important matters.
The law covers the protection of “personal information,” and defines that term thoroughly. It was recently discovered, however, that the definition of “personal information” did not include “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.” As of January 1, the law was amended to include the new definition.
If California, a state that implemented data breach protection laws over a decade ago, failed to include important terms that directly apply today, imagine the holes in other states’ legislation – if such legislation even exists. There are so many opportunities for consumers to be left unprotected, and the Target breach helped illustrate that.
Information has only very recently been divulged, but Neiman Marcus issued a notice in mid-January stating that its stores were victim to a security breach similar to the breach at Target. The nationwide department store’s computer network was hit by hackers as far back as July. The breach, reportedly, was not fully contained until January 16, and the store did not even become suspicious of a breach until mid-December.
The biggest fear is that breaches such as these are part of a much bigger scam.
The biggest fear is that breaches such as these are part of a much bigger scam. ISight Partners of Dallas recently published a report stating that they are almost certain that the Target scam, and possibly the Neiman Marcus scam, derived from BlackPOS, “a crude but effective piece of software that contained malware scripts with Russian origins.” Target has not spoken out about the possibility of a BlackPOS scam, but it certainly creates reason for concern. These type of crimes are, as of now, almost impossible to prevent, and many cybercriminals are so sophisticated that they rarely leave any tracks. Finding the culprits is something that could take months or even years.
The pressing matter now is how to handle attacks such as those on Target and other companies. Companies subject to breaches are understandably hesitant to come forward with information about the breach for fear of losing customers. Customers, on the other hand, want to be informed when their privacy is put at risk.
“Target’s first priority is preserving the trust of our guests, and we have moved swiftly to address this issue, so guests can shop with confidence,” Chairman, President and CEO, Gregg Steinhafel, said this month in a statement. Without federal legislation in place, consumers can only hope this is true of Target and other retailers who fall victim to a security breach.