The news for Target is just getting worse and worse for Target and their customers. Over the weekend it was announced (original announcement from Target is here) that Target has joined an elite club, specifically called the 100 Million club. This club is a club that no company ever wants to be a part of because it means that people have stolen data on more than 100 million people from the company.
In the case of the target breach the first information which was known to be stolen was information for around 70 million credit and debit cards which were used in Target stores (which included one of my cards, which I’ve since canceled). In this new finding (which to be clear was part of the same data theft, but was just found) another 70 million customers information has been taken. But the data which was taken this time is very different from the credit card data. This time it was what is called Personally Identifiable Information such as names, addresses, phone numbers, etc. The exact information which someone would need to attempt to open credit cards in another persons name.
As part of Target's ongoing forensic investigation, it has been determined that certain guest information - separate from the payment card data previously disclosed - was taken from Target. This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.
This information is invaluable to data thieves as they can now begin matching this data up against other credit card data which they have in order to build a better profile about the specific credit cards to make it easier to use the stolen card numbers as well as sign up for more credit card accounts.
The breach notification from Target doesn’t give a whole lot of technical information about the breach or if the data which was taken was encrypted or not, but based on the fact that Target announced the breach this tells me that the data wasn’t encrypted which means that Target did not to a proper job securing the data. This leads me directly to what I wrote in Chapter 1 of “Basics of Digital Privacy” where I talk specifically about knowing how the companies which we trust with our data actually secure that data so that we know for sure that the information which we trust them with is fully secured.
For the companies out there, they need to be reading books on data security from both the IT Professional side (such as my book “Securing SQL Server“) as well as from the consumer side (such as my book “Basics of Digital Privacy“) so that these sorts of things can be stopped before they happen.
Pingback: Just Because It Isn’t a Password Doesn’t Mean It Shouldn’t Be Encrypted | Securing SQL Server