The information provided on this website does not, and is not intended to, act as legal, financial or credit advice; instead, it is for general informational purposes only. Information on this website may not be current. This website may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites. Readers of this website should contact their attorney, accountant or credit counselor to obtain advice with respect to their particular situation. No reader, user, or browser of this site should act or not act on the basis of information on this site. Always seek personal legal, financial or credit advice for your relevant jurisdiction. Only your individual attorney or advisor can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client or fiduciary relationship between the reader, user, or browser and website owner, authors, contributors, contributing firms, or their respective employers.
Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them. Compensation is not a factor in the substantive evaluation of any product.
Son of a breach, two more security incidents are making headlines: Coca-Cola and Michaels Stores.
That means we’re looking at four major data loss events in the past few weeks alone—three at national retailers, including Target and Neiman Marcus.
Companies can learn from how other organizations respond to a data breach, for better or worse. Here are key takeaways for businesses that want to protect themselves from similar disasters.
Communicate the problem quickly and clearly. Don’t follow Target’s footsteps. Hackers stole confidential data of up to 110 million customers who shopped at stores from Nov. 27 to Dec. 15, 2013. But instead of proactively announcing the breach, Target got scooped by respected security blogger Brian Krebs, who broke the story on Dec. 18. On the same day, Target CEO Gregg Steinhafel issued the statement that “we are pleased with Target’s holiday performance.” The company confirmed the breach only after the U.S. Secret Service and American Express released their own investigations.
Michaels, on the other hand, is taking the opposite tack. Though an investigation is still underway, the arts-and-crafts retailer confirmed it was investigating a potential breach immediately after Krebs broke the news. Michaels said it wanted to notify customers “in light of the widely reported criminal efforts to penetrate the data systems of U.S. retailers.” The company may avoid PR waves by slipping this news in quickly while the Target and Neiman Marcus breaches are still being digested. “Michaels could be taking a page from the Heartland playbook,” said Eduard Goodman, chief privacy officer at IDentity Theft 911, referring to the payment systems company’s breach announcement on the day of President Obama’s 2009 inauguration.
Consider communications to potential victims with great care. Target made yet another egregious error by notifying customers of the breach via poorly considered, suspicious-looking email communications. The email included a suspicious sender address: TargetNews@target.bfi0.com instead of @target.com. Plus, it directed users to click on a link for additional details on the monitoring. The bizarre “bfi0” in the subdomain suggested nothing official to differentiate it from phishing and malware-laden emails sent by scammers following such corporate data breaches; scammers often make subtle tweaks. Many people who received the email didn’t actually shop at Target during the compromised dates, which made the email appear even more like a scam. Because the notice was delivered via email and probably due to the fact that it originated from a suspicious email address the original message ended up in many junk mailboxes.
In Coca-Cola’s case, proper security controls clearly weren’t in place. A former employee responsible for maintaining and disposing of computer equipment kept the old computers that contained the personal information of more than 70,000 employees, as well as corporate data. A solid information security policy would cover the handling, sanitation and disposal of sensitive data. Implementation of proper policies and controls with IT governance oversight can minimize the risk of data leakage caused by the disposal of old computer hardware.
Hackers are working to exploit weaknesses in retailers’ point-of-service systems and networks. For example, they’re targeting weak administrative passwords used to manage POS systems remotely and finding clever ways to install malware. Retailers would do well to strengthen those POS systems and networks by 1) using strong passwords or two-factor authentication for POS administrative access and accounts, 2) updating POS software applications using the latest security patches, 3) restricting outside access to POS systems from the Internet, and 4) if it isn’t required, disallowing remote access.
When a breach involves payment card information and no Social Security numbers, companies like Target often make the mistake of offering free credit monitoring. They’re trying to reassure consumers but instead may give them a false sense of security. Credit monitoring looks at changes to a credit file that have been reported to Experian, Equifax or TransUnion. Credit monitoring does not monitor existing credit accounts. So, if a Target customer enrolls in the credit monitoring solution provided by Target, that customer would not be alerted if an existing account—in this case credit cards and payment cards—was used fraudulently. The only way for Target customers to find out if an existing credit or payment card is misused is by monitoring their payment card accounts for suspicious activity.
Finally, data breach victims should take steps to monitor their identity and credit, and check with their providers. An insurance company, credit union or employer is probably already offering this benefit free or at a very low cost. Check with them to activate the service.
If you want a free way to monitor your credit, the Credit Report Card will update two of your credit scores for free every month.
This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its affiliates.
Image: iStock
October 19, 2023
Identity Theft and Scams
May 17, 2022
Identity Theft and Scams
May 20, 2021
Identity Theft and Scams