A cautious approach after breach
I wimped out.
At a local Target store a few days after the No. 3 U.S. retailer disclosed a massive customer data breach, I handed over cash instead of my credit card.
It wasn’t an unreasonable reaction because, despite assurances that the theft had been contained, Target still hasn’t offered many details on exactly what went wrong.
Like consumers nationwide, I have been monitoring my account to make sure no one else is using my card. But I don’t like not knowing whether I was among the estimated 40 million debit and credit cardholders affected by the breach.
I shopped at Target twice during the Nov. 27-Dec. 15 breach period, my account shows, and I made other credit card purchases a day or two on either side of those dates. (One of the Target transactions became complicated when the cashier charged me for a gift card I handed her, instead of applying it to my purchase. That sale later was voided and a new sale rung up — meaning two credit card swipes on one of the shopping trips.)
Target has been posting daily to its website and Twitter account about the breach. It says the theft relates to malware loaded onto its system, but not how it got there or who might be suspect. “The Secret Service has asked not to share many of the details of the forensics and investigation,” the company says in one posting, which means we won’t get the full picture for a while.
But the credit card networks have been given the numbers of cards that might have been affected, Target says, and that information has been passed along to the financial institutions that issued the cards.
Does not hearing from my bank, then, put me in the clear?
When retailer TJX Cos., parent to Marshalls and T.J. Maxx, experienced the largest data breach in history in 2007, my bank sent me a new credit card before I was even aware of the incident. (TJX was criticized for dragging its feet on disclosing the breach.) I also got a new one after grocer Hannaford was breached in 2008.
This time, nothing.
Reuters reports that global card fraud reached a record $11.3 billion in 2012, with nearly half the losses occurring in the United States. A study commissioned by a security software company says the average data breach costs U.S. businesses $188 per lost record — meaning they can be quite costly. Under federal law, consumers can’t be held liable for unauthorized purchases made when their account numbers are stolen.
Target said it was aware of “very few reports of actual fraud” from the breach, but was watching closely. So too are attorneys general from four states, including New York, who have been pressing for more information on the theft. On Monday, they were scheduled to receive a telephone briefing from Target’s general counsel, Timothy Baer, I was told by a representative for New York Attorney General Eric Schneiderman.
Much has been written in the past week about “chip” technology that could have prevented the theft and how we Americans are so obsessed with convenience that we’ll settle for replacement cards time and again over a more secure system — as long as we can keep shopping.
I’ll plead guilty to the latter if retailers, banks and credit card companies would just work harder on the former.
Marlene Kennedy is a freelance columnist. Opinions expressed in her column are her own and not necessarily the newspaper’s. Reach her at firstname.lastname@example.org.