A couple of days ago, I started seeing stories about Target suffering a major heist of customer data, including credit card information. This is a rather significant bit of news, as target is one of the stores that has used iPads as a big draw this holiday season. I even promoted Targets discounts as the best of the season. Therefore, it is among all things possible that some of my readers have been victimized by this theft. Unfortunately, the news today is even worse.

The New York Times is now reporting that those 40 million, stolen credit cards are appearing on the black market. Here is more on the story as reported by The Verge:

Stolen Target customer data is flooding the black market

With Target already reeling from a massive hack that left up to 40 million credit and debit cards compromised, The New York Times now reports that all that data has been pouring into the black market since the break-in. With the breach taking place between Black Friday and December 15th, criminals on hundreds of illicit card-selling markets have likely had access to consumer information for weeks to date.

Make no mistake about it, this is a major breach. Anyone who shopped at Target Online over Black Friday weekend should be worried. You are at risk of having already been victimized. My issue with Target is not necessarily the fact that they were targeted by thieves. There is something in their response that struck me as a lack of urgency. They were more interested in letting us know that it was fine to jest keep shopping as usual.

The tone of Target's official statement is that everything is going to be just fine. Don't worry. Keep shopping. They assure us that they will take care of any problems caused by purchases from stolen cards. In the meantime, have a nice discount. I felt like there was a lack of solemnity in the comment. It was a statement from marketing rather than security. This is a situation where marketing should take a backseat to the more serious issue of your credit card being in criminal hands. Here is the statement:

Target Data Security Media Update

We are continuing the process of reaching out to guests across a number of channels including traditional and social media. Also, we have begun notifying, via email, those guests whose emails we have and who shopped in our U.S. stores with a credit or debit card during the period of November 27 and December 15. We expect that all emails will be sent by the end of the weekend.

It is very important for our guests to understand that receiving an email from us or a letter from their financial institution is absolutely not an indication that there has been, or will be, fraud on their card.

We continue to experience significantly higher than normal volume to our call centers and REDcard website, causing delays. We are working around the clock to resolve this issue by continually adding capacity both to our call center and technical systems to meet all of our guests’ needs. For example, in the last 24 hours we have quadrupled the capacity of our online REDcard account management site.

To date, we are hearing very few reports of actual fraud, but are closely monitoring the situation. We want to reassure guests that they will not be held financially responsible for any credit card or debit card fraud.

At this time, there is no indication that there has been any impact to PIN numbers. What this means is their bank PIN debit card or Target debit card still has this additional layer of protection. It also means that someone cannot visit an ATM with a fraudulent card and withdraw cash.

We have no indication that the data that was inappropriately accessed included a guest’s date of birth or social security number.

The CVV data that may have been impacted was data in the magnetic strip and NOT the three or four-digit code visible on the card that guests use that would allow someone to make an online purchase.

In addition, we have already alerted all of the networks (Visa, MasterCard, Discover and American Express) and provided the affected card numbers of guests who may have been impacted. The networks, in turn, are providing the affected card numbers to the financial institutions of our guests via a “batch” or “CAMS alert.” This alert process allows card providers to take steps to enact additional fraud monitoring. For our REDcard holders, in addition to the robust fraud monitoring system we already had in place, we have added additional layers of security and fraud monitoring to their cards.

This whole statement seems to be contrived to assure customers that nothing really bad has happened. Bad guys have access to enough of your credit card information to sell it on the black market. I assure you, something bad has happened. Stop shopping and take this seriously, please. Target has an interest in downplaying the event. Whenever a company acknowledges a breach, there is a good chance that things are worse than what they admit.

http://nypost.com/2013/12/20/ny-apple-thefts-eyed-in-targets-nationwide-credit-breach/

NYPD detectives are investigating the theft of Apple electronics from several New York-area Target stores for a possible link to a major hack that compromised the credit and debit cards of 40 million of the retail giant’s customers...

A search of the vehicle turned up $20,000 worth of Apple goods in Target shopping bags inside the trunk. Receipts for the devices — 17 Apple iPad Airs, 11 iTouches and 14 iPad Minis — showed they had been purchased at area Targets, predominantly on Long Island, sources said.

The goods allegedly were bought with gift cards that had been purchased with stolen credit card.

My suspicion is that we are just seeing the tip of a very large iceberg. I do not mean to undermine the safety of online shopping in general. I do quite a bit of shopping online. I am just very particular about the online retailers with whom I shop. For the most part, there are only two: Apple and Amazon. I will also do business using Paypal. Those are systems that can be trusted to have top-shelf security. There is a reason that you never hear about credit card information being stolen from the largest holder of credit card information. Robbing iTunes or Amazon is akin to robbing Fort Knox. Robbing Target is more like knocking over the local liquor store.

Finally, I find it interesting that Apple products are the only consumer electronics targeted by thieves these days. Target's promotion and inventory of Apple products is likely why they were targeted. In the last several years of tracking these things I have yet to here about a heist of Samsung Galaxy whatevers. Remember the great Android caper of 2012? Neither do I. This dubious boast comes with a real warning. If you carry an iPhone, iPod, iPad, or MacBook, you are carrying one of the most wanted devices among bad guys. Being an iFan is risky business. So be aware of your surroundings when you use your devices. For maximum security, disguise your iPhone as a Galaxy S4.

David Johnson