Target issues apology letter - but includes some awful security advice

Filed Under: Data loss, Featured, Malware, Privacy

A Naked Security reader just emailed us to say, "I received a message from Target about the breach. It talks about customers, and people who shopped at the company's stores, and names me in the breach. But I've never acutally shopped at Target."

The concerned reader also pointed out that the statement was published on Target's website back on 13 January 2014, but the email she received only arrived on 16 January 2014.

She admitted that the email didn't look dangerous: it had no links to login pages and no suspicious attachments, so it didn't seem to be anything to worry about.

Except for the fact that she received it at all - and apparently three days' late at that.

Giving bad news in a good way

That's always a problem for a company faced with delivering tough security news by email: it's hard to make the message look obviously different from an email sent by crooks trying to capitalise on the disaster.

Let's see how well Target did, and if there is anything they might have done differently.

Here is the web version in full:

The message is short, it doesn't try to pretend the breach didn't happen, and it offers a sincere apology.

All those things are good.

But there are two things I'd definitely have done differently.

Make it abolutely clear who had what stolen

Firstly, I'd have avoided mixing the words "guests", "customers" and those "who shopped," since it's not clear whether they are intended as synonyms, or merely as different, possibly overlapping, groups of victims.

That, in turn, means it isn't clear which group Target thinks each victim was in.

It certainly seems, from our reader's confusion, that "guests" (who lost details like name, address and phone number) include people who have had something to do with Target, somewhere, somehow, but who have never actually have bought any products there recently, or even at all.

So here's what I think Target is trying to say:

  1. We have a large database of people who have interacted with us, called "guests", including customers (who have bought something from us at some stage), and others (who have shared personal information with us, but never actually purchased anything). If you are in this group, your name, address, phone number and email address were stolen by the crooks.
  2. We have a subset of the above database, consisting of customers who actually bought something from one of our stores (not online), using a payment card, between 2013-11-27 and 2013-12-15 inclusive. If you are in this group, your payment card details, such as number and expiry date, were stolen as well.

If you are in group 2, you can have a year of credit monitoring for free, but if you're only in group 1, you can't.

Target really needs to clarify who was in which group (or both), and which recipients of the email quality for the free monitoring.

It's obvious that there are people whose names and addresses were stolen but who didn't buy anything recently, who didn't lose any payment card details in this breach and who therefore don't qualify for the free credit monitoring.

Target has mixed together the warning sent to people who lost non-payment information only and the warning to those who lost payment card data as well.

That, in my opinion, is a recipe for confusion.

Don't trust the caller

Secondly, if I were Target, I would not have said this:

Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number.

If you don't know and trust someone who calls you, why would you trust any phone number or web URL they might give you?

Just bear in mind how successful the so-called fake support call scammers have been in recent years.

Those are the guys who phone you out of the blue, falsely claim that there is a virus on your computer, dishonestly use the Event Viewer to show you errors that "prove" their claim, and then fraudulently charge you $300 for cleanup.

If you ask for a number to call those guys back, or simply use the number that came up on your CallerID/CLI display, which amounts to the same thing, you will almost certainly be given a legitimate-sounding local landline number.

If you're in Sydney, Australia, for example, the number will probably be something like +61.2.8xxx.xxxx; if in Oxford, England, +44.1865.7xx.xxx; and so on.

And if you call that number back, guess what?

You will get through to the company that just called you.

Having an honest-looking local phone number doesn't mean the caller is an honest, local person; the same applies to website domain names.

Domain names can, and frequently do, redirect anywhere; the same is true of phone numbers these days.

Don't rely on information that could have come from a scammer to help you determine if that person is a scammer.

Use some objective, independent means of finding out the contact details of anyone who claims to represent a company you do business with and who asks you to disclose any personal information.

In the case of your bank, for example, you can probably find the number to call to dispute a payment card transaction on the card itself, or on a recent statement, or (as I notice many banks are doing now) on-screen at any ATM, without needing to insert a card.

And if you are an organisation that finds itself needing to call customers to look into suspicious activity on their account, try to do the right thing from your side.

Please avoid opening the call, as many companies still seem to do, by saying:

Hello, I am X from Y, investigating a possible problem with your account Z. Before we start, for security purposes, I need you to give me your date of birth and your security codeword.

Try a refreshingly different approach, such as this:

Hello, I am X from Y, investigating a possible problem with your account Z. But because you don't know me, don't tell me anything yet. I'm going to hang up; I'd like you to take out your {payment card, last statement, contract} and look in the top right corner where it gives an emergency contact number. Then call us back!

As for Target, let's hope the company distinguishes the various parts of the breach a bit more clearly.

If the crooks got at your payment card data, did they get your home address and phone number, too?

If they got your address and phone number, should you cancel your cards even if you didn't shop at Target recently?

Clarification along those lines would be very handy.

In the meantime, here's a short podcast in which we offer some advice on dealing with suspicious callers who try to scam you or your friends and family over the phone:


(Audio player not working? Download to listen offline, or listen on Soundcloud.)

, , ,

You might like

55 Responses to Target issues apology letter - but includes some awful security advice

  1. They obviously didn't pop this through the common sense filter. You provide good advice. Of course why would you ask for a call-back number? It makes no sense at all. I would also, as you suggest, want clarity as to my exact personal circumstance in relation to the breach.

  2. The mobile version of this page botched the links. The entire first paragraph is linked.

  3. andrew hessen · 193 days ago

    I received a letter too, that offered the credit checking with a link. I went to the Target website and tried to find the link through there and could not. Whilst the address the email was sent from had 'target' in the title, there were a number of other characters in it that, to me, didn't seem right.
    TargetNews@Bfi0.com
    the link on the email went to
    credit.monitoring@target.com

    • Paul Ducklin · 192 days ago

      As others have noticed, looks as though bfi0.com is a mailshot company owned by Epsilon (that once had a big breach of its own :-) and presumably contracted by Target.

      This email run is a biggie so you can understand why it would be contracted out.

      Though if I were Target I would have seen if there was a way I could send it myself, just to look the part, I really woulda.

      http://nakedsecurity.sophos.com/2011/04/04/epsilon-email-address-megaleak-hands-customers-customers-to-spammers/

    • Jeff · 192 days ago

      I received an email that offered the credit checking with the link to sign up for the credit check. I had already been on Target's web site and had found the link, and knew that the link in the email matched, but I still did not follow that link. I went to Target's home page and followed the breach info link, then from there to Target's credit check link. I had no trouble following and finding their info.

  4. Lee Sweet · 193 days ago

    All I've heard so far is that this was all from POS malware. So, if they really got all this data about 'guests' who didn't shop at all, what database was compromised that hasn't been made actually public? This seems to be a complete different attack/vector/event. Or the malware seems to be a lot more inventive!

    • Deramin · 191 days ago

      The POS terminals were windows computers on their network acting as cash registers. The attackers pried their way in through a web server, set up shop inside the network, and then attacked the POS terminals from the inside. But while they were in there, they also looked around for other interesting data store to steal, which is how they came across the guest database.

      I'm guessing that customers are not necessarily a subset of guest, but two distinct data sets that have a lot of overlap.

      • Paul Ducklin · 191 days ago

        That's how I figure it. One breach, two sub-breaches. Malware to suck up the card data; other hacking activities to suck up the "guest data"; and - we hope! - nothing else.

        That's the thing with a breach. It can be hard to see what's gone missing, especially since it doesn't actually "go missing", like in a traditional theft.

  5. bblawsonuk · 193 days ago

    What I would like to know is how Target has my email address to send me the Apology Letter. Yes, I did receive one. According to my credit card company, my husband and I were affected by this breach and our cards have already been replaced. But, back to my original question, how does Target have my personal information?

    • They have many ways to get it... last year I went into Target to get a can of "Compressed Air"... the cashier wanted to scan my drivers license because "...these cans have gases that kids use to get high..."... well so does whipped cream and lots of other stuff but you're not scanning ID for those.

      • Anonymous · 190 days ago

        And that gives them your email address how, exactly? I've NEVER given Target my email address, and yet I received this email at three of my email addresses. That's NSA-level creepy to me.

        • Paul Ducklin · 189 days ago

          Survey? Third-party marketing company? Competition? Purchase at a company owned by Target?

  6. docwood · 193 days ago

    This is some help, but not a lot. I still don't know how to figure out if any relevant, useful payment information of mine was lost, or what I ought to do even about my e-mail being lost.

    I haven't bought anything at Target since a colleague registered there for a baby shower fourteen or fifteen years ago. Do I give a rat's ass that my data was stolen? Probably not. Do I care that these idiots were keeping this stuff, unencrypted, for this long? Absolutely.

  7. We've got a TV company here whe often phone their customers about special offers and so on... but they always ask for the password, or part of it. They called me, though... I never allow them to have any part of the password that way. If I'm at all interested, I call them back on a number I know and trust to be theirs. However, they seem somewhat baffled by my attitude when they call me.

  8. Anon · 193 days ago

    I got the Target e-mail the other day as well and was not impressed.

    My first reaction was that it was a scam because they shouldn't have my e-mail address. I have never shopped online at Target and it was to my work e-mail which I wouldn't have used if I had. I am assuming this address was obtained through a third party. The other red flag was that the e-mail isn't from Target. The address is "TargetNews@target.bfi0.com". If you do a lookup bfi0.com turns out to be owned by Epsilon, a large marketing company--the same company that brought you the massive Epsilon data breach a few years ago.

    • Paul Ducklin · 192 days ago

      Hmmm. you can see why Target might want to use a specialist email sender for this one (70M people to contact), but...as you say, Epsilon, eh?

      Maybe the theory is that a company that's had a breach is "battle hardened" and thus a good choice :-)

      As for how your email came to be in Target's possession though you didn't shop there, I reckon you're right about a third party.

      Although the company uses "guest" and "customer" as if they were synonyms, they aren't, neither (apparently) in Target-language nor in regular English. It's always a problem when a company gets so used to its own jargon, and when it becomes so pervasive in its operational correspondence, that it forgets how to explain in Plain English, and forgets that its jargon words have very well-established (and different) meanings to everyone else.

  9. Anonymous · 193 days ago

    Thanks for this. I got my web letter yesterday and wasn't sure it was really from Target. So now I know.

    • cupjay · 193 days ago

      yeahbut, if i was a scammer i'd send out that exact same letter, including masthead, EXCEPT subtly change the 800 call back number to redirect to me instead of target. soooo, still muuuch better, only call the number on your (verified) monthly credit card statement.

      • Paul Ducklin · 192 days ago

        Excellent point - I agree.

        I wish I had mentioned that explicitly in the article, not just implicitly by saying "don't go with what they said was the number."

        But you mentioned it, so now I don't have to, thanks :-)

  10. I was under the impression that group 2 (purchasers) is separate from group 1 (guests). If I just swiped my card but never otherwise gave them my address and phone number, then why would they have that? That wouldn't be necessary for the transaction.

    • Paul Ducklin · 192 days ago

      Hmmm. I see what you mean. There'll be a big overlap (I suspect many customers will be guests, but not all *purchasers* will be).

      I'd better edit the article a bit, eh :-)

  11. Calling back to the number on the back of the card is dangerous, especially in response to a call from a scammer. In the UK anyway, if the caller does not hang up the call, attempting to dial out will not hang up the previous caller, and so when you think you are speaking to the credit card company you are simply speaking to the original scammer, or probably his accomplice who is waiting for your call. The next thing you know, you've given away all your security credentials and the CCV on the back of your credit card.

    • Paul Ducklin · 192 days ago

      Is that *still* the case? I was under the impression that if the callee hangs up, then the circuit is recycled after a short time even if the caller doesn't hang up, unlike in the old electromechnical days when the circuit was under the caller's control.

      (The reason I say that is this: in the old days, if you left your phone off the hook by mistake, or even deliberately, it tied up infrastructure because you were an "about to call" caller. But that doesn't happen any more, in my experience. If you leave your phone off the hook it squawks for a while and then goes silent until you cycle the receiver.)

      And what you describe doesn't happen if you're using a mobile phone, does it? Can't, in fact?

      It's been a long time since I accidentally got through to the previous caller due to an unterminated connection, so either I and my callers have become more dextrous in recent years, or the equipment has changed...

      ...discuss.

      • John · 190 days ago

        I live in the UK and just tested that if I receive a call, I cannot terminate the connection by hanging up, In fact, I can't make another call until the other party hangs up. (It's particularly annoying when I've been cold-called by some scammer since I can't phone out until they've put the phone down.)

        I've heard some useful advice regarding the call-back trick (i.e. you receive a call pretending to be from your bank asking you to phone back on the number on the back of the card). Note that a scammer can play a dialling tone and DTMF tones to make it seem like you have cleared the call.

        The advice is to phone a friend first to make sure the line is clear.

  12. Lenee · 193 days ago

    I just received that same email today, and I am confused on how I got it when I NEVER shop at Target? How did they get my email address??

    • Paul Ducklin · 192 days ago

      Competition? Survey? Web site form filled in for a third party? Shopped at a store owned (or later bought) by Target?

  13. Hallie Sepsi · 193 days ago

    I received the letter shown above, and went to the Target website by entering the URL directly in my browser (not by clicking on the link in the letter.) I was told to submit my email address to receive an activation code for a year of credit monitoring. I did that, but when the activation code arrived, one of the things the instructions said was to submit my Social Security number. I have not done that, because I'm not sure this is legitimate. Does anyone reading this know whether the SSN request is really coming from Target or Experian? Or should I ignore it?

    • Paul Ducklin · 192 days ago

      Great. So Target said in the message that it wouldn't send emails that asked for PII, and now this...

      OK, to be fair, you've now exited from Target's operation and are dealing with Experian [?], just that Target will pay the bill. So Target didn't ask for PII.

      And I can see why a credit monitoring company might want your SSN - to monitor its abuse they need to know what to look out for - but I can equally see why you won't want to give it.

      Maybe contact Experian and say, "I want your service, bankrolled by Target. I will give you plenty of PII, but not my SSN. I accept that this might reduce the efficacy of your service...but how/can I do that, since I am the customer?"

      • ... seen both sides now ... · 190 days ago

        My local bank's office personnel called to my attention that Experian is no rose -- apart from having had their own massive "data loss" this past fall, their current Target credit monitoring page has reportedly been hijacked now, as well. Makes me loth to trust them with anything. Your take?

  14. Barry · 193 days ago

    Good article AND Good advice!

  15. Keith · 193 days ago

    I also received this letter also and took a look at the header. It comes from target.bfi0.com through the bigfootinteractive.com mail servers. bfi0 is Bigfoot Interactive, an email marketing company which was purchased in 2005 by Epsilon, also referenced in the header pimta07.epsiloninteractive.com.

    There are no links in the e-mail as have been suggested and based on the header does appear to be a legit, if not well written notice.

  16. ... seen both sides now ... · 192 days ago

    I suspect that Target bought a boilerplate breach-admission letter designed to be sent to a hotel chain's past guests, and just never quite gussied up the prose to match Target's needs.

    • Paul Ducklin · 192 days ago

      No, Target uses the term "guest" to mean "customer and more". It's the company's own jargon, as far as I can see, that it has leaked into the world under the assumption that it ought to be obvious. Well, with the reader referred to in the article (she wanted to reamin anonymous) confused, and me confused...that's enough for me to say, "Skip the jargon. Pick a word or phrase that is 100% unambiguous, please. It's not that hard."

      • Matt · 192 days ago

        Former Target employee here. When I worked there (2005-2007), the terms "Guest" and "Customer" were used interchangeably to refer to the same people. This was indoctrinated from the Corporate offices, and the word "Customer" was a 4-letter word that was rarely, if ever, spoken by any "Team Member" (employee).

        Based upon this email, it would appear that has loosened up a bit, but even without purchasing anything in a store Target likely has a wealth of information about just about everyone that they've obtained from various sources.

        One thing that hasn't been mentioned enough yet is the security of more private information such as SSNs about people who have worked for Target, or who have a card issued by them (the bank that issues the cards is fully owned by them). If they're keeping so much information in the same database, who's to say that they're not keeping banking or HR data in the same place, or that the database(s) hosting that information were not also compromised?

        • Paul Ducklin · 192 days ago

          At the moment, I think we are all hoping that the breach was merely two-pronged: card data from loads of transactions, and lots of PII (though a limited amount on each user, apparently not including DOB, SSN or any other identifer of that sort) from some other source.

          Were there other, more detailed databases cracked open at the same time?

          Right now (2014-01-16T21:13Z) we simply don't know :-(

  17. ... seen both sides now ... · 192 days ago

    What's more, I sure as shootin' didn't trust the 866 (toll-free) phone number given in that email, without first verifying it independently with an agent at the Target phone number printed on the back of my Target Card. Paranoia ill-founded in this instance, as it happens, but well-founded in principle all the same.

  18. Hank · 192 days ago

    I haven't shopped at a Target store ever. I made only one online purchase 2 years ago (and never again since then).

    Even so, I received the email. I went to the target website and confirmed the email was legit. I obtained an Experian credit monitoring activation code and then went to Experian where I found the page for Target customers. I entered the activation code, it was verified and I was taken to a secure page to fill in my personal data which was verified by Experian.

    • Paul Ducklin · 192 days ago

      So the bit in the letter saying that the free monitoring "is for guests who shopped in US stores" is inaccurate...and in fact seems to *understate* Target's offer.

      The implication to me is that the free monitoring would apply to anyone whose card data was in the 40M "original" breach, but now it seems that you qualify if you were one of the original 40M or [inclusive or] the subsequent 70M.

      • Eric · 192 days ago

        Yes, the free monitoring is for anyone who got the letter.
        I did not/do not shop at the store but somehow they magically have my real email address (I would have used an alias). I am guessing Target has bought marketing data from ??? and that makes up the additional 70M guests.
        After a few hours of requesting the code you will be given a link to register for the credit monitoring. All the mail headers, ips and ssl certs look legit.

  19. Winski · 192 days ago

    Just to amplify just how clue-free the Target folks truly are, I actually shopped at TWO local Targets on dates inside the date windows specified as dates of 'the breach'. I have NEVER received a single note from Target - NOTHING. If I hadn't taken action on my own, I would have never known that I had been exposed as 100 MILLION PLUS others have been exposed.

    Did they just pick folks at random to notify speculating that they may or may not be effected by the breach ???

    Amateurs.

    • Paul Ducklin · 192 days ago

      Received wisdom is that the crooks got a lot, *but not all*, of the payment card transaction details in the US.

      If RAM scraping malware was the way they stole the data, it's very likely that the crooks didn't get everything: any store the crooks couldn't infect would be immune; any PoS register where the malware crashed and wasn't running would have been safe; etc.

      If so, I think it is fair to assume that Target would have a good idea whose card data was stolen by matching up a list of infected PoS registers with transactions. Or if there were stores in which no registers were infected - and a plausible explanation for why the crooks were unable to get into that part of the network - they might reasonbly conclude that no customers at that store were infected and scrub them from the list.

      Also - as a commenter noted elsewhere - it is possible that Target doesn't have your email address and simply can't contact you. There's not a lot you can do about that (and if it's true, you probably don't want to give them your email address now).

      I don't know what to suggest.

      Doing nothing (but watch those bank statements) is an option; getting your card replaced by the bank is an option; calling Target's helpline is an option; just signing up for the free credit monitoring anyway is an option.

      Anyway, not to excuse Target, but I betcha they didn't "just pick folks at random." And if they did exclude people based on the assumption that the store (or register) they paid at wasn't infected, they're on a dilemma of what to tell the people they excluded...they have to avoid anything that might be construed as conveying the message "you're home free," when the investigation isn't finished yet.

      Of course, what you have proved for all of us is HOW MUCH BETTER PREVENTION IS THAN CURE when it comes to security breaches :-)

  20. My card cancelled itself. They mailed me a new one, told me to activate it ASAP as I'd shopped at target during the holidays, and my old one deactivated when I activated the new one.

    • Paul Ducklin · 192 days ago

      Neat.

    • Stephanie F. · 173 days ago

      Our bank - SunTrust - did the same. I had shopped at Target using my debit card during the time period defined, my husband had not (separate accounts). SunTrust replaced both of our cards without us even asking. We didn't have a choice, though we would have requested it if we hadn't received SunTrust's letter telling us about the replacements.

  21. Slashee the Cow · 192 days ago

    "If you're in Sydney, Australia, for example, the number will probably be something like +61.2.8xxx.xxx;"
    I hate to be the pedant I am (oh who am I kidding, no I don't), but I live in Sydney and I'd find a number like that VERY suspicious... because our phone numbers have eight digits after the area code (the 2 in your example), not seven.

  22. Dave · 192 days ago

    The activation code provided by Target was not accepted by the Experian site. The site instructs to call an 888 number. No way. Sell your Target stock ASAP. This is a disaster.

  23. JonK · 192 days ago

    Actually, Target appears to be offering a year of free credit monitoring for anyone who had a business relationship with the company, not just those who used their credit cards during the period in question. I was not in a Target store during that time, but I am on their email list. I was provided with a code to use at Experian to set up monitoring.

    There was, however, another blunder with regard to the email sent by Target. A trace back of the header led to a third party sender not identifiable as Target nor did Target provide on their website an obvious way to inquire about the sender. As I result, I did not accept the credit monitoring offer via the email's hotlink, but went to the relevant Experian site on my own and signed up for the free monitoring there.

    • Paul Ducklin · 192 days ago

      You're right!

      I didn't get a copy of the full email until after I'd written the article - but I can confirm (from the sample I did get) what other commenters are saying, namely that the email was sent for Target from bfi0.com - apparently a mass-mailing company owned by Epsilon, itself a victim of a big breach a couple of years ago. Heigh ho.

      Ironically (though just slightly outside the scope of this article), Target's email SPF record, i.e. its formal list of "who's supposed to send email on our behalf", doesn't include bfi0.com. And Target's SPF record uses the lily-livered "soft fail" setting anyway. Heigh ho.

  24. ejhonda · 192 days ago

    I received this letter through the USPS recently. I haven't shopped at Target for 6 or months, so I wasn't concerned about it but I did find it confusing as to who the letter was being targeted at.

  25. I got this letter too by email and flagged it as spam, because I've never shopped at Target.

  26. Anonymous · 191 days ago

    I'm more worried after receiving (but not opening) that email than before: whether it's legitimate or not, it has characteristics I associate with malware.

    If I do shop at Target in the future, payment will have to be in cash, which of course means small purchases only.

  27. Kenny D · 190 days ago

    Why should I give my personal info to Experian? Who says they can't be hacked? Better off to just put a security freeze on their site.

    • ... seen both sides now ... · 182 days ago

      To all who wonder what Kenny D asked, "Why should I give my personal info to Experian? Who says they can't be hacked?" : No one says Experian can't be hacked -- indeed, they were hacked just this past fall -- "Experian Sold Data To Vietnamese ID Theft Ring" "Fake private investigation firm tricked data broker into divulging numerous Americans' names, social security numbers, birthdates and bank account numbers." (-- InformationWeek, 10/21/2013)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog