What not to do after breach

Target’s response to its recent breach is a good lesson in what not to do after a company experiences a security incident. Other corporations facing the growing risk of data breaches can learn from the many missteps, if not foolish errors, taken by one of the nation’s largest retailers.

The company’s first mistake was bad timing. Hackers stole confidential data of up to 110 million Target customers who shopped at stores from Nov. 27 to Dec. 15. But instead of proactively announcing the breach, Target got scooped by respected security blogger Brian Krebs.
Krebs broke the story on Dec. 18. On the same day, Target CEO Gregg Steinhafel issued the statement that “we are pleased with Target’s holiday performance.” The company confirmed the breach only after the U.S. Secret Service and American Express released their own investigations.

From there, Target made two more egregious errors that sent the wrong message to customers and may jeopardize its financial security.

The first was an email that notified customers of the breach and offered them one year of free credit monitoring through Experian. Here are the problems with that approach:

• The email included a suspicious sender with the address: [email protected] instead of @target.com. Plus, it directed users to click on a link for additional details on the monitoring. The bizarre “bfi0” in the subdomain suggested nothing official to differentiate it from phishing and malware-laden emails sent by scammers following such corporate data breaches; scammers often make subtle tweaks.

• Target should have known that customers are conditioned to not click on links in email messages, especially after a headline-grabbing security breach and with a questionable sender address.

• Many people who received that email—myself included—didn’t actually shop at Target during the compromised dates, which made the email appear even more like a scam.

• Because the notice was delivered via email and probably due to the fact that it originated from a suspicious email address the original message ended up in junk mail boxes. I only looked at the Target email because I was looking for a good example of a phishing email following a data breach.

But the gravest error by Target was to offer free credit monitoring. It may seem counterintuitive, but it has become a routine mistake companies make in the aftermath of a security breach that involves payment cards rather than Social Security numbers (SSNs). Though offering credit monitoring is usually an attempt to reassure consumers, this may instead give them a false sense of security and lead to more consumer blowback. Here’s why:

•    Credit monitoring won’t help people impacted by a payment card breach. Credit monitoring is a service that is limited to looking at changes to your credit file. It looks for new creditors, credit accounts and key account changes, such as an address change,  that have been reported to Experian, Equifax, or TransUnion. What credit monitoring  does not do is monitor your existing credit accounts. So, if a Target customer enrolls in the credit monitoring solution provided by Target, that customer would not be alerted if an existing account—in this case credit cards and payment cards—was used fraudulently. The only way for Target customers to find out if an existing credit or payment card is misused is by monitoring their payment card accounts for suspicous activity. All suspicious activity should immediately be reported to their payment card issuer. While banks and card companies are aware of this incident, some customers of smaller financial institutions may think they are safe when they enroll in the credit monitoring only to find that their card has been maxed out at the end of the month.

•    Were SSNs stolen? By most accounts, including Target’s, no SSN’s were exposed in this breach. Based on the nature of the breach and the very limited cicumstances that Target would have needed to collect SSNs, it is unlikley that the exposure of SSNs was part of the fact pattern here. This is important because without the exposure of a SSN, the creation of new credit lines and accounts, which creditors report to the credit bureaus and which then show up on an individual’s credit file(s), is incredible unlikely. So again, it begs the question: Why was a tool that doesn’t monitor the actual risk here offered when no SSNs were exposed and it simply won’t help? (See point 1)

•    Even if credit monitoring were effective or called for here, one year of free credit monitoring often isn’t long enough. Even if SSNs were exposed in this breach, which they weren’t, organized thefts of information by criminal rings, as is likely the case here, create exposures that surpass one year. Organized rings often will know that a breach of information was disclosed. They are aware that people may place 90-day fraud alerts or be enrolled in a year of monitoring as a result. So what do they do? Well, they simply hold on to the information for a year. Since there is no expiration date on an SSN (until you expire, that is) customers may initially breathe a bit easier with a year of credit monitoring. But they shouldn’t assume that stolen information can’t be abused afterward. Identity thieves can simply sit on collected data until 2015 or later.

•    The sign-up process for the monitoring offered is not consumer friendly by nature. Some providers of credit monitoring have a one-step process: You simply enroll and once you have been authenticated and signed up, your monitoring is active and no further steps are required. But the Target/Experian process involves a two-step enrollment process. So once you have been authenticated and signed up, you are then sent a verification email to enroll. Enrollment is only completed and active when you  click on a link in the verification email, which often either a) winds up in a Spam folder and/or b) is forgotten by the consumer. The e-mail is then never clicked for activation and the consumer is left thinking they are enrolled in monitoring when, in fact, they are not. Regulators do not like this two-step sign-on proces for the very reason that so many consumers do not, by no fault of their own, end up getting enrolled. In fact even the  Consumer Financial Protection Bureau director Richard Cordray mentioned this in a recent appearance on The Daily Show with Jon Stewart.  While he was referencing monitoring and other services paid for by the consumer, he said, “What they don’t tell you is maybe there’s an extra step or two to actually get the product. Months later when you go to seek the protection, they say, ‘Oh you didn’t have it.’ That’s wrong. That’s totally unfair.”  And when it comes to consumer protection by the Federal Trade Commission, CFPB, or even state offices of the Attorney General, the last thing you want to hear is the word “unfair” in relation to treatment of a consumer.

The bottom line: Credit monitoring can be useful when it’s an ongoing service and not presented as an easy fix to a problem it will not solve, which is the case with the Target breach. It shouldn’t be used as a replacement for careful consumer vigilance. This means regularly looking over your existing accounts and cards for suspicious activity and charges in addition to monitoring your actual credit files.

While Target management was likely following the advice of its counsel, business units, compliance folks and potentially even regulators, this breach is a good opportunity for companies large and small to rethink their ‘boilerplate’ approach to breach remediation in exchange for solutions and advice to consumers that fit the actual risks. It is also a good lesson in how communicate with the public and impacted consumers, or in the least, a lesson in how not to communicate and respond to a breach.

Eduard Goodman is chief privacy officer at IDentity Theft 911.

Leave a Reply