It started this week while I was working on one of my customer’s computers, when she asked, “What do you think about those millions of credit cards being hacked at Target?”
Not having watched the previous evening’s news broadcasts, I had missed the story of one of the biggest credit card thefts of all times. Apparently, “hackers” had stolen the account information for up to 40 million credit cards used at Target stores between November 27, the day before Thanksgiving, and December 15. A few minutes after being filled in by my customer, I got a text message from my daughter. “Did you hear about millions of credit cards getting hacked at Target? Might want to keep an eye on your account.”
She was right, darn it. Her message jogged my memory: I had used my credit card at Target on November 27, the first day of the massive hack attack. I knew right then the story needed my full attention. Pretty soon, other people were asking the same question: “Should I be concerned?”
The short answer is yes, if you shopped at a Target store between November 27 and December 15, and paid with your credit card, you should be concerned. Word is the big hack does not extend to online Internet-based purchases from Target; only folks who actually visited a Target store and used a credit card are potential victims.
I use the phrase “potential victims” because nobody knows how many of the 40 million stolen credit card accounts will actually be used by the bad guys to steal money. Still, 40 million accounts stolen over a period of 19 days means over two million accounts stolen every day. Target is not forthcoming with statistics about how many daily credit card-using shoppers they have, but common sense dictates that if you used a credit card at a Target store during those nineteen days, the likelihood that your account was stolen is high.
Large numbers of the stolen accounts are already surfacing for sale on the underground black market websites frequented and run by Internet criminals. While some credit card industry pundits are advising potential victims to “not panic,” but to closely monitor their accounts instead, my advice is much simpler and less stressful: call your credit card company, ask that your current card be cancelled and that you be issued a new card, with a new card number and new PIN number. You’ll still need to monitor your account for any bogus charges that may have occurred up until now, but getting a new card will close the door on any future illicit use of the old account. That’s what I did.
The first words I heard when I called my credit card company were, “We are aware of the data breach at Target stores and we’re monitoring our credit and debit cards to help protect you. You should know that you are not liable for any losses that you report to us.” The “that you report to us” part did not give me comfort, as some card issuers have a fraud-reporting time limit that can be as short as thirty days. I pressed the appropriate buttons to stay on hold and hopefully speak to an actual human. I was told that, due to unexpected call volume, my wait time could be longer than usual. My wait time was about five minutes.
When the polite gentleman who finally answered asked how he could help me, I told him I had used my credit card at a Target store during the infamous nineteen days. After he verified my identity, I explained I would like to cancel my current card and be issued a new one. “No problem,” he replied, “I will be glad to help you with that.” A few more questions, a few more keystrokes and the job was done. I was told the card would be cancelled immediately, and to expect my new card in three to five days. I was reminded that if I had any automatic bill pay accounts that referenced the old card, they should be changed as soon as possible, as the old card number would no longer work. Mission accomplished.
How were 40 million credit card accounts stolen from Target? A growing body of facts points to lax security practices on Target’s part, including failure to adhere to Payment Card Industry Data Security Standard (PCI-DSS) practices that all retailers, big and small, handling credit card transactions are supposed to follow.
The fact that CVV numbers (the security codes printed on the back of cards) were stolen indicates that Target was storing the numbers on their computer systems, a practice that has been banned by card issuers for a number of years. This and other security problems may hang Target on the hook for up to $3.6 billion in civil fines, lawsuits and other penalties before the whole mess is cleaned up.