So apparently there’s yet another data breach. This time at the arts and crafts chain Michaels. In their announcement (available here) they don’t say when the breach started, when it ended, if it has ended, or really anything about the breach other than the fact that it happened.
The safest assumption is that if you’ve used your card at Michaels in the second half of 2013 you’ll want to request a new card from your bank. If you don’t want to go through the hassle of getting yet another new card then at the least you’ll want to monitor your bank account regularly to ensure that no one else is using your card to have purchases. I’d go with this for now until Michaels tells us more about the details of the breach.
If you shopped at Target in the United States between Thanksgiving and Christmas then there is a pretty good chance that your credit card data for the credit card that you used was stolen by some cyber thieves. Because of this massive data theft Target has arranged for credit monitoring services for all Target customers for a year.
The only way to get signed up is via the webpage which target has setup at https://creditmonitoring.target.com/. Any other website which claims to be signing people up for this (and there are going to be several of them popping up rather quickly). Also if anyone calls you trying to get you signed up they are scamming you.
If you shopped at Target, I’d recommend getting signed up for the monitoring service. According to Target:
Guests have until April 23, 2014 to sign up to receive an activation code. Activation codes must be redeemed by April 30, 2014.
So go get signed up,
The news for Target is just getting worse and worse for Target and their customers. Over the weekend it was announced (original announcement from Target is here) that Target has joined an elite club, specifically called the 100 Million club. This club is a club that no company ever wants to be a part of because it means that people have stolen data on more than 100 million people from the company.
In the case of the target breach the first information which was known to be stolen was information for around 70 million credit and debit cards which were used in Target stores (which included one of my cards, which I’ve since canceled). In this new finding (which to be clear was part of the same data theft, but was just found) another 70 million customers information has been taken. But the data which was taken this time is very different from the credit card data. This time it was what is called Personally Identifiable Information such as names, addresses, phone numbers, etc. The exact information which someone would need to attempt to open credit cards in another persons name.
As part of Target's ongoing forensic investigation, it has been determined that certain guest information - separate from the payment card data previously disclosed - was taken from Target. This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.
This information is invaluable to data thieves as they can now begin matching this data up against other credit card data which they have in order to build a better profile about the specific credit cards to make it easier to use the stolen card numbers as well as sign up for more credit card accounts.
The breach notification from Target doesn’t give a whole lot of technical information about the breach or if the data which was taken was encrypted or not, but based on the fact that Target announced the breach this tells me that the data wasn’t encrypted which means that Target did not to a proper job securing the data. This leads me directly to what I wrote in Chapter 1 of “Basics of Digital Privacy” where I talk specifically about knowing how the companies which we trust with our data actually secure that data so that we know for sure that the information which we trust them with is fully secured.
For the companies out there, they need to be reading books on data security from both the IT Professional side (such as my book “Securing SQL Server“) as well as from the consumer side (such as my book “Basics of Digital Privacy“) so that these sorts of things can be stopped before they happen.
I ran across an older blog post that I think is very relevant given the Target breach as so any people will be setting up new ATM pin numbers to secure their ATM cards.
The most popular password is 1234 with nearly 11% of the 3.4 million passwords are 1234 !!!
I knew that 1234 would be popular but 11% is just a really high percentage of people using this PIN number. When taking the top 20 most popular PIN numbers in this sample set a little over 25% of the populations PIN numbers are used. That’s the top 20 most popular PIN numbers out of the total possible 10,000 PIN numbers which are available when using a 4 digit PIN which is what basically all banks use.
The blog post is a little geeky on the math and statistics side of things, but it makes for some interesting reading.