You head out to Target to pick up a few things.
Maybe you were taking advantage of some great Black Friday sales. Perhaps you needed to re-stock after Thanksgiving. You could have been doing your holiday gift shopping.
Nothing out of the ordinary, right?
Except if you used your credit or debit card then your credit or debit account may have been breached!
You may have heard on the news how Target was… well the target of hackers that compromised the Target credit and debit card database.
Keep reading and I’ll fill you in on what happened, whether you need to be concerned, and what you should do about it.
Everything You Need to Know About the Target Credit Card Data Breach
What Happened to Target
Between November 27th and December 15th, 2013 hackers were able to access credit card data at Target retail locations. They were able to steal the information that is on your magnetic stripe on your card. This story originally broke by Brian Krebs on his security site krebsonsecurity.com (http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/).
The information stolen includes customer names, card account numbers, the card’s expiration dates, and CVV1*. With this information hackers can create duplicate cards to do with as they will. According to Target, debit card PIN information wasn’t stolen as far as they know (with a PIN a thief could use a duplicate card to go to an ATM to steal cash from your account).
That doesn’t mean you’re off the hook if you used a debit card. These days most debit cards allow you to use a ‘credit’ option which works similar to a credit card. If you used your debit card in this way between 11/27 and 12/15 then you could be one of the affected customers.
*The CCV1 is data stored in your card’s magnetic strip, this is not the same as the 3- or 4-digit security code you have on your card which is also known as the CVV2 code.
If you shopped at Target between 11/27/13 and 12/15/13 and used your credit or debit card then you are among the 40 million who may be affected. This did not affect those who shopped online or customers in Canada.
Note: Information such as your social security number or birth date was not part of this hack.
Do understand that if you did use your card between these dates it doesn’t mean you will be the victim of fraud. But it does mean you need to be alert and careful.
Update 12/27/13: Target has recently revealed that PIN data was taken as part of the data breach. According to Target your debit card will not be compromised due to this data getting out. The PIN data was encrypted, triple DES encryption to be exact, and Target never had the encryption key that would be needed to see the PIN data. Still, if you have concerns you can contact your bank to have your PIN changed.
What You Need to Do and Watch Out For
Know this — You won’t be held accountable for any fraud charges made with your card. Either Target or your bank will bear that burden. This is according to the announcement on the Target.com site regarding the breach.
But let me tell you something…
You still need to know if fraud has taken place!
Make sure you watch your account and statements like a hawk. Check for any charges that you didn’t make. See, even though you aren’t held responsible for fraud charges no one is going to tell you a charge is fraud.
YOU ARE RESPONSIBLE for a fraud charge until you find it and report it. It’s your responsibility to monitor your accounts and make sure all of the charges are legitimate.
What makes this particular account breach tough is that it happened during the peak of holiday shopping. Your credit card would usually make contact with you if you had spending that was out of the ordinary. But during the holidays people tend to buy things they wouldn’t at other times of the year and they tend to use their cards more.
That one big purchase doesn’t stick out as much.
Don’t wait around for your next statement though. Go to your credit or debit card’s site and check your purchase history.
Credit Monitoring
Here’s the scary thing — You don’t know when fraud will take place. If your card information was stolen you might not have any fraud for months (if at all).
This is where credit monitoring comes in.
Target has stated that they will be offering up free credit monitoring services for everyone that is affected by this hacking. They currently don’t have information as yet on how that will work. I’ll update this when that becomes available.
If you haven’t yet you can get a free copy of your credit report and history from AnnualCreditReport.com. You’re allowed a copy of your report from each of the three credit bureaus once every 12 months (TransUnion, Experian, and Equifax). This tells you the accounts you have open and your purchase and payment history.
Give it a little time before you request your reports though. Your credit reports will only have information that has been reported to them by the companies you have credit with. If they haven’t updated your accounts with the credit bureaus yet then it will look like there’s nothing wrong but really the information hasn’t hit the report yet.
Another tool is a credit monitoring service.
These services generally give you access to your credit report and credit score (you can usually access these often). You can also usually set up credit alerts that will inform you, via text or email, when events like large purchases are made, accounts are opened, or when there have been changes in your credit score.
Many of these services cost money though. You can get free trials but then you are charged after the trial ends.
There are a couple of credit services that are free though – Credit Karma (review) and Credit Sesame (review).
Related: Where You Can Get Your Credit Scores For Free
Scam Calls and Emails
Watch out for calls and emails asking for information such as your social security number and your birth date or any other personal information. These are scams looking to get information they can use for identity theft.
But what could happen is a scammer that has your credit information could try to pry your personal information from you.
Never give out personal info like your social security number to someone that calls asking for it over the phone. If you have any doubts then call your credit company yourself to see if there is an issue.
Also never log onto an account from an email you receive asking you to. Odds are this is a phishing scam looking to steal your log-in information. If you need to check your account enter it yourself from the information on your card or statement.
Fraud Alert
If you are concerned about fraud accounts being opened up in your name you can have a ‘fraud alert’ placed.
Call one of the three credit bureaus (TransUnion, Experian, and Equifax) and request to have a Fraud Alert put on. The credit bureau you pick has to tell the other two that you are placing a Fraud Alert so that they can place them on your account as well. They will ask you for personal information to make sure it’s you. This process is free to place.
What the Fraud Alert does is make it harder for anyone to open up an account in your name. When a request for an account is made the business has to contact you before an account can be opened.
Go look at your calendar and count out 90 days. This is how long your Fraud Alert lasts. If you want to keep the alert after the initial 90 days then you need to call the credit reporting agency again. A great way to keep track is to set up a reminder in your favorite online calendar. Here’s our article on setting up reminders in Google Calendar.
Here’s information on Fraud Alerts from the FTC: http://www.consumer.ftc.gov/articles/0275-place-fraud-alert
Change Your Account Number’s
If you really want to be pro-active you can call your credit companies and banks and have them issue you new account numbers for any cards you used at Target during the affected times. This way the old account numbers will be closed and can no longer be used.
One thing you need to be aware of though is to update any places that you may have set up with your card such as monthly payments or transfers (for example a monthly subscription like Netflix). You don’t want to have an important charge or payment not go through because your account number changed.
Change Your Debit Account PIN
Even though Target says the PIN’s weren’t part of the hacking you may want to be extra careful and change the PIN on any debit cards you may have used.
A PIN transaction requires you to enter a code for the purchase to take place. This is different from using a credit transaction with your debit card (yes, that does sound a bit confusing). If your debit card has a little Visa or MasterCard logo then you are able to make credit transactions with your debit card. The money still comes out of your checking but you’re not using your PIN. You also get more protection this way as it’s seen as a ‘credit’ purchase not a debit purchase.
Place a Credit Freeze
This option is a little more extreme than a Fraud Alert but it’s also more effective.
With a Credit Freeze you are asking each of the credit bureaus to stop anyone from accessing your credit report. In order to open up new credit you need to get back in touch with the credit bureau and ask to have the freeze lifted. The bureau will give you a special number that only you will have so you need this to unlock your credit.
Basically, no one but you can access your credit.
The drawback with a credit freeze is that 1) it will usually cost you money (there are circumstances, like fraud, where you can place one for free); and 2) you no longer have quick access to your credit report. This means if you wanted to apply for credit anywhere you would first have to life the credit freeze from your accounts. Also, this doesn’t prevent any fraud from taking place on your current accounts.
Here’s our article on protecting yourself from fraud with a credit freeze.
What to Do If You Find a Fraud Charge
If you find a charge that isn’t yours then immediately report it to your bank or credit card company.
They will put a freeze on the charge and investigate it on their end. You will probably get a new account as well to prevent any further fraudulent charges. Make sure any services you have that use your account have the new number!
Then you’ll want to continue to monitor your accounts to make sure no other fraud appears.
You may also want to have a Fraud Alert placed on your credit as well.
Here’s Target CEO Gregg Steinhafel talking about what to do:
http://www.youtube.com/watch?v=tNLw5Q2V0WQ
Related: Victim of Identity Theft? Here Are Your Next Steps to Protect Yourself
What I Did When I found Out About the Target Credit Account Breach
We shop Target often so of course I was concerned about this.
I grabbed my recent receipts (yes I tend to keep them for a bit) and looked for any from Target. It happens I did shop there but it was before Nov. 27 and we haven’t been there since.
I also logged onto my credit card account online to check if there were any Target charges in the affected dates and also looked for any fraud charges. So far it looks clean.
Next I logged onto my checking account in case I used my debit card at Target. I didn’t use my debit card there.
That doesn’t mean I won’t keep an eye out going forward. As this is an ongoing investigation we could find out the dates are broader than what was stated. I hope that’s not the case but my hope isn’t enough to keep my accounts safe.
This Wasn’t Even the Biggest Account Breach
You think 40 million accounts is pretty big don’t you? Well that gets third place overall.
In 2007 retailer TJX Cos Inc (TJ Maxx, Marshalls, and Home Goods) had their accounts breached which affected 90 million customers. In 2009 a breach at Heartland Payment Systems, a credit card processor, affected over 130 million cards.
Some believe that credit card companies aren’t doing enough to thwart credit card fraud. Many countries in Europe have required smart chip technology in credit cards. These chips serve up different encrypted values every time they are used making it difficult for fraud to occur.
Finally
Target seems to be taking action but I’d like to see them do more.
They say they will offer free credit monitoring but it could take weeks for that to be set up. They should also make the account breach information more prominent than the small banner they have at the top of their site. They should have a pop-up telling people where to go for information and they should also have a place where you can leave your email or phone number for further information about the credit monitoring.
Target really needs to show they are in this with their customers and do what they can to assuage any fears as well as make it easy to get information.
We have to be responsible for the safety of our own accounts. This hacking demonstrates how important it is for you to check your accounts monthly and make sure everything is legitimate. You also need to monitor your credit reports and make sure the information there is correct.
I’ll still shop at Target. But I’ll be vigilant in keeping track of my purchases to make sure there’s no fraud. In fact I’ll do this for all of my accounts.
Remember: You are responsible for keeping watch over your credit.
Resources for you:
Target: 866-852-8680
TransUnion 1-800-680-7289
Experian 1-888-397-3742
Equifax 1-800-525-6285
FTC – Signs of Identity Theft
FTC: Immediate Steps to Repair Identity Theft
AnnualCreditReport.com
Sources
Target
FTC – Are You Affected By the Recent Target Hack
Target cyber breach hits 40 million payment cards at holiday peak | Reuters
Target Struck in the Cat-and-Mouse Game of Credit Theft – NYTimes.com
Sources: Target Investigating Data Breach — Krebs on Security
TARGET credit card theft swells to 40 million victims – Washington Times
My wife charged a purchase at Target during the hacked period. I called our credit card service and they said don’t worry about it. That they were monitoring the situation and would send us new cards if our were compromised. Since they are the ones who will eat any frausulent charges, I left it at that.
How would your credit card company know if you had a fraudulent charge or not though? Some things could be obvious like a big charge from a part of the country that’s out of the ordinary, but how would they be able to tell about a smaller online charge?
Thanks for sharing all of these resources! Thankfully, I didn’t shop at Target after Thanksgiving, but I know a lot of people who did shop there and are pretty bummed about the situation.
It’s a pretty scary thing. Please pass the article along to your friends so they know what to do.
Great resource Glen! We have a couple of friends who were impacted by this actually and their banks canceled their cards and issued new ones fairly quickly. To my knowledge, how it would work out is that Target would be on the hook for most, if not all, of the issues as the retailer is the one bearing the risk – which would make you think they would want to get more in front of it but it doesn’t necessarily seem to be the case.
Thanks for the info John. Yes, you would think Target would be more forthcoming. They should be doing all they can to endear themselves and build trust with their customers. They haven’t been horrible but I think they could be doing a bit more.
Hey Glen,
I’ve been keeping an eye on my credit card statements and haven’t noticed anything suspicious. My wife on the other hand had two suspicious purchases that she didn’t make and we had to get her a new card and have those items removed from her account. I have to double check the timing because it happened before the Target breach was announced, but it could have been related because we shop there all the time.
Wow Mike. Please let us know if you find out it was related.
Hey Glen,maybe you can explain this for me. Just recently (as of May) my mom got a call from target saying her Target card was breached.Although they said she wouldnt have to pay. Her credit limit would be dropped from 1,000 to 200. She responded; my statements dont show any chaarges. How much was charged and when?They keep responding don’t worry about it. She wanted to keep her good standing and credit limit. But with no real answer from Target but B.S. she opted to close her account. Now if you have been a good customer , with good credit standings . Why so evasive ? they would devilge in when or how much was charged. but never on a statement. Please enlighten . Perplexed