Target Update: A Blogger Broke The News; Kansas City Star Reports That The Hackers Did Get The 3-Digit Security Code

Updates

January 10, 2014: Nieman-Marcus said it was also hacked at about the same time as Target. The investigation has just begun. It will be interesting to see where this goes.

January 10, 2014: originally Target said 40 million hacked; now at least 70 million, and very likely close to 110 million. In addition, the hackers got a lot more personal information than originally disclosed.

December 27, 2013: despite earlier, steadfast denials, Target now admits hackers got the PINs. 

December 25, 2013: It was mentioned below that the 3-digit PINs had been stolen but the source of the story was "questionable." It is now being reported over at Yahoo!Finance that, yes, indeed, the 3-digit PINs had been stolen. Target has still not released what data was stolen from the credit cards. It will probably be awhile before I return to Target.

December 21, 2013: Target is telling its REDcard customers to continue using their cards. Even though the account numbers are stolen, Target says they are monitoring credit card use for "unusual buying trends," or something like that. Apparently in New York City, Target customers routinely buy Apple products (iPads, etc) in bulk. I cannot make this up. The New York Post is reporting:

A search of the vehicle turned up $20,000 worth of Apple goods in Target shopping bags inside the trunk. Receipts for the devices — 17 Apple iPad Airs, 11 iTouches and 14 iPad Minis — showed they had been purchased at area Targets, predominantly on Long Island, sources said.

Original Post

 
The Los Angeles Times is reporting what was exactly my experience:

Target — one of the country's largest retailers — is facing accusations that it waited too long in disclosing that its system had been hacked, exposing some 40 million of its customers' credit and debit card accounts. The Minneapolis company waited until Thursday to confirm that a break-in occurred between Nov. 27 and Dec. 15.

The information was then downplayed on the retailer's website, tucked out of view at the very top of the page.

Now, potential victims have said they've been having problems reaching Target's customer service department through its website and call centers. Angry and afraid of identity theft and that scammers might siphon their money dry, they took to social media in droves to vent.

Bekah Sims Andrews complained on Facebook of waiting for 48 minutes on hold hoping to reach a Target associate before being suddenly booted off the call and hearing a busy signal.

"Are you kidding?" Andrews posted on Target's page. "This is completely unacceptable."
Target apologized with a form response, saying the delays were caused by "significantly higher volume than normal" to call centers. The retailer said it was "adding team member support and system capacity as quickly as possible," working to "build capacity hour by hour."

I was on hold for about 35 minutes when I called Target. When I reached a human, a male, I told him I wanted to cancel my account ... it was incredible ... after 30 minutes of being on hold, as soon as I said "cancel" I lost the signal and got the busy signal. 

I called again, and this time, knew that I would probably get a faster response if I called the number to report a stolen card. That worked. I didn't have to talk to anyone; the current account was canceled; and I would be sent a new card. Which I will never use.  

The company learned about the breach by the 15th (and it's my understanding it was a third party that released the story, not Target) and here it was, the 19th, yesterday, and I had still not heard from Target. Not an e-mail with an update. 

After reading several reports, I'm getting the feeling that Target and "authorities" were aware of this breach well before the 15th but were letting it continue hoping to trap the perpetrators. If so, this is going to really make my wife angry. She didn't use her credit card at Target until December 14th. It will be interesting to see if this is true -- that Target and authorities were aware of this breach before the 15th.

I am absolutely amazed that the company would direct its folks to hang up as soon as someone requested that his/her account be canceled. As soon as I said I wanted to cancel my account, I lost the connection and got a busy signal, exactly as described above. 

So, back to the article, what else in the update? What is most irritating, Target points out a few things that weren't taken from the magnetic strip, but has failed to say what exactly what was on the magnetic strip. 

**********************************

Target says the thieves did not get the 3-digit security code, but the Kansas City Star is reporting quite the opposite:

The thieves carted off customer names, card numbers, expiration dates and even the three-digit codes on the back of up to 40 million cards.

Read more here: http://www.kansascity.com/2013/12/19/4702721/tips-for-safe-shopping.html#storylink=cpy

The New York Times  is now reporting:

Scrambling to tamp down consumer outrage over the theft of credit and debit card data from more than 40 million of its customers, Target announced on Friday that it would offer a 10 percent discount on purchases inside its stores on Saturday and Sunday — the final shopping weekend of the holiday season. 

Insult after injury. One gets 10% discount at Barnes and Noble day in, day out just for being a $25/year "loyal" customer.  

It gets worse:

Target, with nearly 1,800 stores and $73 billion in revenue reported last year, would not release information on the effect the hacking news has had on its sales or its traffic, but outrage was ricocheting around the Internet. Customers complained that the company was not doing enough, and that they were encountering error messages while trying to check their Target REDcard accounts online.

John Kenyan, a REDcard holder, said in an email that when he tried to check his account for fraudulent activity, the account listed only the total purchase amount, the date and the store, without listing the individual items purchased. “This makes it almost impossible to check for fraud,” Mr. Kenyan said.

Craig Johnson, president of Customer Growth Partners, a retail consulting and research firm, said Target’s handling of the news had been “less than nimble,” because while the company became aware of the problem on Dec. 15, word first reached its customers days later when a blogger broke the news.

One wonders if Obamacare website, which apparently has no security precautions in place, is actually a safer bet at this time?

This is the real question: if Target only learned about this breach on the 15th, how did they put the necessary security in place by the 19th when the story broke? If it only took a day or two to put the necessary security in place, why wasn't it already done? Ten years ago? The Kansas City Star:

Target said it closed the breach quickly, once it was discovered, and assured customers that shopping was safe again.

Read more here: http://www.kansascity.com/2013/12/19/4702721/tips-for-safe-shopping.html#storylink=cpy

I will eventually go back to Target; it's one of my favorite retailers. But it will be awhile. And I will pay in cash. All I need right now is a package of cherry Twizzlers.