So, now Target has updated that the scope of the data breach as being much bigger than the original 40 million credit cards and now includes information on more than 70 million customers including address, email, phone numbers.
But this latest announcement has my spider senses tingling. The way the breach has been announced to date, with each update increasing the scope of the breach makes me uncomfortable. In the announcement they state:
At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals
Target does not just collect information like your address because they want to send you a Christmas card. Target is an innovator in predictive analytics, they have what is internally called Guest ID. This identifier is used to track data on purchases made, if you used a credit card, coupons, filled out a survey, called customer support, if you have opened an email from them and other activities.
This Guest ID is linked to your credit card number, email address, or name:
In the announcement Target states:
Data is partial in nature, but in cases where Target has an email address, the Company will attempt to contact affected guests
Further according to the Wall Street Journal Target said:
There was some overlap between the two sets of stolen data, but Target didn’t say how extensive it was.
So it would seem that as there is some overlap with regards to credit card information mapped to some users and only some users having email addresses. It would seem logical that it could possibly be the Guest ID data that was compromised. I really hope I am wrong.
Target’s chief statistician Andrew Pole discussed the Guest ID program in New York Times back in 2012:
“If you use a credit card or a coupon, or fill out a survey, or mail in a refund, or call the customer help line, or open an e-mail we’ve sent you or visit our Web site, we’ll record it and link it to your Guest ID. We want to know everything we can.”
The Guest ID can be linked to demographic data such as age, marital status, if you have kids, estimated salary and what credit cards you carry. This data can be further mapped to other data they can buy about you including ethnicity, job history and the magazines you read.
Target made media waves a few years back when it was discovered that Target figured out a teen girl was pregnant before her father did. Imagine hackers launching a spear-phishing campaign with the same level of accuracy.
Security and privacy are two sides of the same coin, the more you encroach on privacy by storing this type of data, the higher the risk business have in securing it. Big data can mean big risk and a big breach.
That Target’s breach has now expanded beyond the credit card terminals themselves and includes data on other systems, I believe it is highly likely that other information may have been compromised including the Guest ID data.
- Stolen Target Credit Cards and the Black Market: How the Digital Underground Works
- Target: The Desolation of Fraud
- Target Data Breach: How to Perform Early Detection…
- Combating ‘Smash and Grab’ Hacking with Tripwire Cyber Crime Controls
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Definitive Guide to Attack Surface Analytics
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.