What is the latest about the Target data breach?

On Friday January 10, 2014, Target announced that personal information of up to 70 million individuals was lost in the data breach they originally announced on December 19, 2013.

Is this a new data breach?

No. According to Target, this is not a new data breach. Target says this information was stolen as part of the data breach that they originally announced in December 2013.

But Target is saying new data has been lost, right?

That’s right. While they’re saying there wasn’t a new incident, they are saying that they now understand that more data was lost in the December incident than they previously thought. To use an everyday analogy, burglars broke into their house only once in December. But in addition to the TV that Target knew was stolen then, they’ve also discovered that the burglars also took a laptop.

What data did Target say was lost in the original announcement in December 2013?

Target announced in December that credit and debit card information of up to 40 million people who shopped in stores in the United States between November 27, 2013 and December 15, 2013 was stolen.

How is this new data loss different from what Target announced in December?

With this latest announcement, Target is saying that personal information of up to 70 million customers was also lost. This loss is different because its a different set of data: it’s personal information instead of credit and debit card information. And it’s a separate pool of affected people: its 70 million people instead of 40 million people.

What’s the relationship between the two Target data losses? If I was one of the 40 million people affected by the data loss announced in December 2013, am I affected by this one?

You might be. However, we just don’t know for sure.

Target hasn’t said that there’s any relationship between the two data losses other than they happened as part of the same data breach.  Reports indicate there is some overlap, meaning some customers are affected by both data loses. But reports indicate that a total of over 100 million customers may be affected by both incidents. The Washington Post notes this means that up to 1/3 of households in the United States may be affected by this situation.

What information was lost in the January 2014 Target data loss?

According to Target, the data lost includes names, mailing addresses, phone numbers, or email addresses for customers.

Is there anything else different between the two Target data losses?

Yes. Target has said that in response to the December 2013 data loss they will offer free credit monitoring for all customers who shopped in their stores, not just those 40 million customers whose credit and debit card information was stolen. However, so far, Target has NOT indicated that they will make credit monitoring available for anyone affected by the January 2014 data loss.

What could someone do with this information? How serious is each data loss? How concerned should I be? What should I do?

The December 2013 data loss involves credit and debit card information. That information can be used to make fraudulent purchases. In fact, this has been happening already for weeks. If you are affected by this data loss, it’s very serious and you should be very concerned. You should review your statements regularly and report any fraudulent charges immediately. Since Target is offering credit monitoring for all customers who shopped in their stores, you should sign up for that as soon as possible if you don’t already monitor your credit.

The January 2014 data loss involves personal information but doesn’t include critical information like your social security number. Target also reports that in some cases the information is partial, meaning it may be just your name and email address but nothing else.  It’s not enough information by itself to enable full identity theft. But it can be combined with other information for identity theft. The information can also be used to create higher quality spam or phishing emails. Be on the lookout for spam and phishing, especially those posing as coming from Target.

You should be vigilant for signs of possible identity theft. Because Target has not indicated they will offer credit monitoring to people affected by the January 2014 data loss, so you should consider getting that for yourself.

I shopped at a Target store between November 27, 2013 and December 15, 2013 but haven’t been told I’m affected, should I do anything?

Yes. Target is offering credit monitoring for all customers who shopped in their stores during that window, regardless of whether they were part of the 40 million affected or not. If you shopped at Target during this time, and you don’t already monitor your credit, you should take advantage of their offer for extra protection.

I’m a Target customer, but I didn’t shop at a Target store between November 27, 2013 and December 15, 2013, and haven’t been told I’m part of the 70 million affected by the January 2014 data loss. Is there anything I need to be concerned about?

Possibly. You may be part of the 70 million affected by the January 2014 data loss and not know it. Target has indicated that they will contact people affected by that data loss to the best of their ability. But they may not have enough information to be able to notify you. If you’re a Target customer and haven’t been notified that you’re affected it is still a good idea to watch for any suspicious activity.

What is going on with Neiman Marcus? I heard they’ve confirmed a data breach that lost customer credit and debit card information like the December 2013 Target data loss.

Right now we don’t have a lot of detail. It was reported on Friday January 10, 2014 that the United States Secret Service is investigating fraudulent changes that in-store Neiman Marcus customers were seeing after shopping there in December 2013. Neiman Marcus confirmed the report on Saturday January 11, 2014. Beyond confirming the report, though, they’ve not yet released any specific details at this time.

That’s not much information, will they release more information?

Yes, they’ve said they’ll release more information and contact people who are affected. It’s clear they’re still early in their investigation and aren’t releasing information because they just don’t have it yet.

Why don’t they have information? Shouldn’t they easily know who’s affected?

Investigating data breaches is a very meticulous process. If you’ve ever seen shows like “CSI,” you’ve seen how forensics investigations are a careful scientific process. The same is true for computer forensics: investigators have to methodically investigate point-of-sale terminals, servers, network equipment, firewall logs, and databases among other things. And as we’ve seen with the Target data breach, these investigators have to comb through hundreds of millions, if not billions, of records. And they have to do this in a way that is documented appropriately to withstand the challenges that may be raised in a criminal trial.

I shopped at Neiman Marcus over the holidays, what should I do?

Until Neiman Marcus can give more information, everyone who shopped in-store from November 2013 until  January 10, 2014 should thoroughly review their credit card statements for the cards they used while shopping there. You should also watch the news for more information so that when Neiman Marcus does release information about the scope of affected customers, you’ll be aware. Finally, you should be on the lookout for notifications from Neiman Marcus that you are affected.

I’ve received a notification from Target and/or Neiman Marcus that I’ve been affected what should I do?

First, you should not click any links in any email notification or give any personal information on an in-coming phone call. With these incidents gaining broad attention, they’re now prime candidates for spam/phishing/telephone fraud. If you receive a notification, you should first take steps to verify that the notification is legitimate. Official notifications will be backed up by information on the company’s websites and through the customer service organizations. If you receive a notification, you should visit their official web page and/or call their official customer support lines to start the process.

I’m not a Target or Neiman Marcus customer. Is there anything I need to be concerned about with these incidents?

You don’t need to be concerned about being at risk from this incident per se. But you should be concerned for what this means in general. Target and Neiman Marcus are large companies with ample resources and good security practices. If they can be breached like this, it means others can as well. Therefore, it’s time for all of us to seriously consider real-time identity theft monitoring as a best practice. This also underscores the importance of running modern security suites that provide multiple layers of protection on your computers and devices.

Christopher Budd is a communications manager with Trend Micro. His focus is on communications around online security and privacy threats to help people understand in plain English the risks they face and what they can do about them. In addition, he focuses on managing crisis communications utilizing a framework and processes he helped put in place.