So apparently there’s yet another data breach. This time at the arts and crafts chain Michaels. In their announcement (available here) they don’t say when the breach started, when it ended, if it has ended, or really anything about the breach other than the fact that it happened.
The safest assumption is that if you’ve used your card at Michaels in the second half of 2013 you’ll want to request a new card from your bank. If you don’t want to go through the hassle of getting yet another new card then at the least you’ll want to monitor your bank account regularly to ensure that no one else is using your card to have purchases. I’d go with this for now until Michaels tells us more about the details of the breach.
I’m pleased to announce that “Basics of Digital Privacy” is now available on Amazon’s Kindle eReader platform.
If you shopped at Target in the United States between Thanksgiving and Christmas then there is a pretty good chance that your credit card data for the credit card that you used was stolen by some cyber thieves. Because of this massive data theft Target has arranged for credit monitoring services for all Target customers for a year.
The only way to get signed up is via the webpage which target has setup at https://creditmonitoring.target.com/. Any other website which claims to be signing people up for this (and there are going to be several of them popping up rather quickly). Also if anyone calls you trying to get you signed up they are scamming you.
If you shopped at Target, I’d recommend getting signed up for the monitoring service. According to Target:
Guests have until April 23, 2014 to sign up to receive an activation code. Activation codes must be redeemed by April 30, 2014.
So go get signed up,
There is always a problem when it comes to knowing if your data has been compromised on line. That problem is how do you know if your data has been compromised? Until now you would need to download and scan the list of compromised accounts yourself. Now there is a much easier way.
The website “have i been pwned?” (https://haveibeenpwned.com/) has been created to help you solve this exact problem. This website is very simple, when there are large amounts of data which have been breached and the lists made public they will be loaded into this website so that you can search and see if your account was on one of the lists.
Let me be clear, the person who created this website is NOT the person who is stealing your data, he’s just taking data that someone else has stolen and making it so that you can easily search the data without having to figure out where to get the data, and without having to figure out how to search through all this data manually.
So who created this site? The answer here is also pretty easy, his name is Troy Hunt and he is trustworthy. He is a well known IT security researcher and author who made this website to make everyone else’s life easier. If you have questions about the site, I would recommend checking out the FAQ that is posted. If you’ve read Basics of Digital Privacy Troy’s name may look familiar. This is because I talked about Troy a couple of times in the book, and you’ll see a couple of links to Troy’s blog over on the links page, specifically this one.
Currently the website allows you to search the site, and it allows you to setup alerts so that when new data is loaded into the system if your email address has been compromised the website can email you.
I highly recommend checking your email address via this website and setting up alerts for your email address.
There are new features coming that Troy is working on, but I’m not going to steal Troy’s thunder.
The news for Target is just getting worse and worse for Target and their customers. Over the weekend it was announced (original announcement from Target is here) that Target has joined an elite club, specifically called the 100 Million club. This club is a club that no company ever wants to be a part of because it means that people have stolen data on more than 100 million people from the company.
In the case of the target breach the first information which was known to be stolen was information for around 70 million credit and debit cards which were used in Target stores (which included one of my cards, which I’ve since canceled). In this new finding (which to be clear was part of the same data theft, but was just found) another 70 million customers information has been taken. But the data which was taken this time is very different from the credit card data. This time it was what is called Personally Identifiable Information such as names, addresses, phone numbers, etc. The exact information which someone would need to attempt to open credit cards in another persons name.
As part of Target's ongoing forensic investigation, it has been determined that certain guest information - separate from the payment card data previously disclosed - was taken from Target. This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.
This information is invaluable to data thieves as they can now begin matching this data up against other credit card data which they have in order to build a better profile about the specific credit cards to make it easier to use the stolen card numbers as well as sign up for more credit card accounts.
The breach notification from Target doesn’t give a whole lot of technical information about the breach or if the data which was taken was encrypted or not, but based on the fact that Target announced the breach this tells me that the data wasn’t encrypted which means that Target did not to a proper job securing the data. This leads me directly to what I wrote in Chapter 1 of “Basics of Digital Privacy” where I talk specifically about knowing how the companies which we trust with our data actually secure that data so that we know for sure that the information which we trust them with is fully secured.
For the companies out there, they need to be reading books on data security from both the IT Professional side (such as my book “Securing SQL Server“) as well as from the consumer side (such as my book “Basics of Digital Privacy“) so that these sorts of things can be stopped before they happen.