Millions of Target customers should expect a surprise in their inboxes

ByClaudiu Popa

What was already a catastrophically large security breach became ridiculously monumental today as Target notified the public that an additional 30 million customers have been added to the previous total of 40 million victims.

In Target parlance, ‘guests’ are customers, visitors, online shoppers and anyone who still dares to darken their steps in light of the new announcement – which the company says may account for up to six per cent in the drop in sales for the quarter.

Related

Target’s data breach exposes 40 million credit card numbers

For the rest of us, store visitors are at least browsers and at most, shoppers. Until they make a purchase, that is, at which point they become ‘customers’.

And customers, 70 million of them, are being notified that their names, credit and debit card numbers, card expiration dates, debit card PINs and even the code on their card’s magnetic strip has been stolen.

The bad news? The potential for fraud. Targeted, credit and debit card fraud. Identity theft and unauthorized online purchases. Scams of all kinds can be perpetrated with detailed customer profiles, and the Target breach is one of the richest treasure troves of contact details we have seen so far.

The other bad news? Victims can expect phishing emails to come in waves, from Target. Or rather, from what appears to be a legitimate source at Target.

How do we know? Because Target has announced that if you’re on the victims’ list and your email address is on file, they will contact you. And they described what it will look like:

MUCH OF THIS DATA IS PARTIAL IN NATURE, BUT IN CASES WHERE TARGET HAS AN EMAIL ADDRESS, WE WILL ATTEMPT TO CONTACT AFFECTED GUESTS. THIS COMMUNICATION WILL BE INFORMATIONAL, INCLUDING TIPS TO GUARD AGAINST CONSUMER SCAMS. TARGET WILL NOT ASK THOSE GUESTS TO PROVIDE ANY PERSONAL INFORMATION AS PART OF THAT COMMUNICATION. IN ADDITION, GUESTS CAN FIND THE TIPS AT TARGET.COM/DATABREACH.

So American victims’ inboxes may soon be populated with phishing messages that look something not quite unlike this:

SUBJECT: IMPORTANT MESSAGE REGARDING THE SECURITY OF YOUR TARGET ACCOUNT

BODY: DEAR JOHN DOE,

TARGET TODAY ANNOUNCED UPDATES ON ITS CONTINUING INVESTIGATION INTO THE RECENT DATA BREACH AND ITS EXPECTED FOURTH QUARTER FINANCIAL PERFORMANCE.

AS PART OF TARGET’S ONGOING FORENSIC INVESTIGATION, IT HAS BEEN DETERMINED THAT CERTAIN GUEST INFORMATION — SEPARATE FROM THE PAYMENT CARD DATA PREVIOUSLY DISCLOSED — WAS TAKEN DURING THE DATA BREACH.

THIS THEFT IS NOT A NEW BREACH, BUT WAS UNCOVERED AS PART OF THE ONGOING INVESTIGATION. AT THIS TIME, THE INVESTIGATION HAS DETERMINED THAT THE STOLEN INFORMATION INCLUDES NAMES, MAILING ADDRESSES, PHONE NUMBERS OR EMAIL ADDRESSES FOR UP TO 70 MILLION INDIVIDUALS.

I KNOW THAT IT IS FRUSTRATING FOR OUR GUESTS TO LEARN THAT THIS INFORMATION WAS TAKEN AND WE ARE TRULY SORRY THEY ARE HAVING TO ENDURE THIS.

It will then draw the reader’s attention to the next paragraph:

AS A VALUED GUEST, YOU WILL HAVE ZERO LIABILITY FOR THE COST OF ANY FRAUDULENT CHARGES ARISING FROM THE BREACH IF YOU ENROLL INTO OUR FREE CREDIT MONITORING AND IDENTITY THEFT PROTECTION PROGRAM AS SOON AS POSSIBLE. PLEASE NOTE THAT THE SOONER YOU SIGN UP, THE FASTER WE CAN ACTIVATE YOUR FRAUD PROTECTION. IT ONLY TAKES 4 MINUTES AND IS ENTIRELY VOLUNTARY. CLICK THE FOLLOWING LINK OR GO TO THIS SITE TO SIGN UP: TARGET.COM/FRAUDPROTECT.

ONCE YOU HAVE ENROLLED, YOU WILL RECEIVE A CONFIRMATION EMAIL THAT WILL ALSO INCLUDE SIMPLE TIPS AND BEST PRACTICES YOU CAN USE TO PROTECT YOUR ENTIRE FAMILY AGAINST THIS KIND OF BREACH.

SINCERELY,

GREGG STEINHAFEL, CEO
TARGET BRANDS, INC.

Out of 70 million guests, it is safe to assume that at least a few million will have their email addresses on file. But guess what? The rest can be reached by phone, or reached by good old snail mail. And those emails don’t need to include a link to click on, but instead, a phone number to call. Addressing victims by name and even including the last four digits of their card number will go a long way towards earning the trust of both discerning and unsuspecting ‘guests’ alike.

The above link is benign, and a nod to a little known site that I used to enjoy working into conversations, but the risk of infecting computers and conning users is not only real, but imminent.

And that, above all, should be the message that is communicated to U.S. and Canadian shoppers alike.

Is this pure speculation? No. People are already getting defrauded as I’m typing this. Both Target and members of the media should focus on clarifying what the impact of this breach will be on individuals. They need to make it as real as possible to maximize the chances of defusing these malicious attempts before users instinctively react to them. Because by then, it may be too late.

Claudiu Popa is a public speaker, cybersecurity expert and passionate defender of privacy rights who engages audiences through storytelling and weaponizes academic courses, radio, television, podcasts, social media and the written word to fight for the vulnerable in society and catalyze positive social change in Canada.