Jessica Piffero of Fresno, Calif., was like millions of other customers who used their debit or credit cards for holiday shopping at a Target store.
Unbeknownst to them, hackers had managed to penetrate Target’s card-payment systems and, over a three-week period in late November and December, steal data for credit and debit card accounts, compromising personal information for as many as 110 million customers nationwide.
Once news broke about the massive data breach, a nervous Piffero began closely monitoring her bank account for funny business – making sure there were no fraudulent transactions with her card number.
Then she received a notice from Golden 1 Credit Union, where she and her husband bank – the Sacramento, Calif.-based credit union “is proactively replacing all potentially impacted cards” of customers who shopped at Target between Nov. 27 and Dec. 15.
“I was a little shocked” by the notice, Piffero said. “You hear about these card breaches in the news, and I’ve never really been a part of this before. I knew this was a large one.”
Monitoring her account information is one of the key things that data security experts agree customers should be doing in the wake of the Target fiasco. But others say it’s an even better idea to cancel the potentially compromised card and ask the bank or credit union to replace it with a new one.
“Frankly, it isn’t a bad idea to replace your card after the holidays anyway,” said Ken Westin, a technology security researcher and a contributor to Tripwire.com’s “The State of Security” blog. “Credit cards are promiscuous; they get handled frequently by a lot of different people, and with each interaction/purchase, the risk increases.
“Then you add in a major breach like this where that number is now out in the wild, and it is better to just put that card out of its misery and get a fresh new one,” Westin said.
That’s one reason that Golden 1 – the seventh-largest credit union in the U.S. – is issuing new cards to about 72,000 members. That’s more than 11 percent of its 651,000 members statewide.
“It was a pretty easy decision, given that this happened right at the holidays,” said Scott Ingram, a Golden 1 spokesman. “We knew people were going to be more likely to use their cards during this time, and the risk of fraud might be higher than at some other time of the year. That made it important to take quick action.”
But that action comes at a cost. Ingram estimated that Golden 1’s expenses to notify its members and replace cards “is approaching about $400,000 for us at this point, not counting staff time and overtime.”
Golden 1 isn’t the only financial institution replacing debit cards. JPMorgan Chase and Union Bank, among others, report that they are replacing cards that are at risk for fraud because of the Target breach.
While Target’s card-data theft was a large and notable breach, it was not the only incident last year in which customers’ information was put at risk. The Identity Theft Resource Center, a San Diego-based nonprofit, reported that through Dec. 31, almost 620 data breaches occurred among banks and financial institutions, businesses, educational institutions, health-care organizations and government or military agencies.
By the ITRC’s reckoning, those breaches potentially put at risk at least 58 million records – Social Security numbers, driver’s license numbers, medical records or credit/debit card data – and possibly many more, because in most instances the volume of compromised information is not publicly reported.
“We know there’s a correlation between data breaches and fraud or identity theft,” said Eva Velasquez, president and CEO of the ITRC. “About one in four consumers who are notified of a data breach will eventually become victims of identity theft.”
The Target breach put the issue at the forefront of the public’s attention. Ordinarily, the ITRC’s toll-free telephone call center in San Diego handles about 10,000 calls in a year. But after the Target situation was reported, “we took 1,100 calls in three days,” Velasquez said. “That tells you how many people are paying attention to this.
“If we had to silver-line this issue, it’s that Target is such an iconic brand and this happened at the holidays, people are now aware that this is something they need to pay attention to,” she added. “The world we live in has these very sophisticated electronic infrastructures, but none of them will be impenetrable.”
While card data and PINs are at risk in the Target breach, Velasquez said there’s no indication from Target that even more critical information, like Social Security numbers, was compromised. “That’s the key component” to fraudsters opening new lines of credit under someone else’s identity.
“We’re telling people to react, but not to panic,” Velasquez said.
ITRC is encouraging people to closely monitor their bank accounts for suspicious charges and to work with their financial institution on what other steps to take, Velasquez said. “Because this breach involves so many different methods of payment – credit cards and debit cards – all of these different card issuers, all these financial institutions have a stake” in protecting their customers.
That’s because businesses face huge costs when data is stolen.
The Ponemon Institute, a data and privacy research firm in Michigan, reported last year that among companies it surveyed, the cost of a data breach from a malicious or criminal attack was estimated at $277 per compromised record. The institute added that last year was the first time malicious or criminal attacks made up the most frequent cause of data breaches – about 41 percent, compared with 33 percent from human error or negligence and 26 percent from system glitches.
Target customers who are concerned about the card-data breach can call the company at (866) 852-8680 or visit www.target.com and click on the “important notice” link near the top of the home page.
More info about credit card fraud, identity theft and other data breach issues is available from the Identity Theft Resource Center, www.idtheftcenter.org or (888) 400-5530.
Customers should also contact their banks or credit unions for information or to report any suspicious account activity.