Thursday, December 19, 2013

Target's 'Guests' Get Royally Hacked

[UPDATED Dec. 27]

I never cease to be amazed by corporate PR responses to their companies' fiascoes. Latest case in point, Target, the big retail chain where the various credit and debit cards of 40 million customers ("guests," in the sanctimonious, insincere corporate mind) have been hacked since the start of the Christmas shopping season.

Target, incidentally, did not publicly disclose this eminently disclose-worthy fact until today, after a tenacious blogger, Brian Krebs, broke the startling news on his blog,

Target's PR response, which most of the corporate-friendly media rushed to slam high into their breaking stories on the hacking scandal, was notable for its obfuscation. Here it is in full. 

And so far, no reporting on what really needs to be done, by Target, to fix this: The company should be required to pay for credit-monitoring services for the the millions of people whose credit cards were hacked through Target's fault, and who need to monitor their credit card accounts and credit ratings because of it. Instead, Target (and the lickspittle media) are merely advising the victims to do this on their own, at their own inconvenience and expense.

Today, the media had barely reported the actual news -- Hey! 40 Million of Us Have Been Hacked at Target! -- when in the impossibly corrupted routine of the 24 hour news cycle the Target response to the heist, and not the heist itself, became the "late-breaking" news. And reporters scooped Target's palaver right up, long before they asked: Just how the holy hell did this happen, Target? What kind of schlock point-of-sale security do you have? And yo, how come you have a schlock data-security system at your stores? What are you going to do to make things right by your customers (I mean "guests"), other than to provide them with boilerplate tips on the laborious process required for them, the customers ("guests!") to examine their accounts and, if something is wrong, to go about making it right -- including phone calls to credit card companies, investigations of statements and even credit reports and, of course, the annoying chores of getting new credit cards issued, and duly notifying all of those auto-pay accounts of the new information, so their bills won't become delinquent? You may not be responsible for fraudulent charges on your card, but fixing it ain't easy, folks.

[UPDATE: Now Target admits that PIN numbers on the 40 million cards were also stolen, a week after it had denied this.]

Point-of-sale security hacking is one of the under-reported scandals in the retail world, including the world of hotels and restaurants, which are notorious for cheaply maintained and supervised front-end credit-card security operations. The big online retail operations generally have high-grade central security against hacking of credit card information, but at the retail local level -- you know, where you physically swipe your card -- hackers are increasingly busy stealing personal data by the boatloads.

I've written a couple of columns about point-of-sale hacking at hotels and restaurants. And I'll post more on the overall problems, as well as the likelihood that fiascoes like the Target Heist will spur the introduction of chip-and-pin credit cards (like they use in Europe). Let's hope this latest hacking scandal will spur retail companies to spend the money they need to spend to bolster data security at the point of sale. You know, where they actually take your money.

Here, annotated by me, is some of the insultingly phony language in Target's statement today, the statement -- issued only after the news of the heist was broken by a blogger -- that so many reporters are treating with respect:

"Target today confirmed it is aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its U.S. stores. Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue.
“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” said Gregg Steinhafel, chairman, president and chief executive officer, Target. “We take this matter very seriously and are working with law enforcement to bring those responsible to justice.”
Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013. Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts.  Among other actions, Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident.":