Target tops the list of most epic privacy fails

Target privacy fail

Target failPrivacy has always been a hot topic for us at Naked Security, but recently the news seems to have gone from bad to worse.

We’ve seen a steady onslaught of disclosures about data breaches at retailers, ranging in size from 50 locations of The UPS Store, to the as-yet-unknown, but potentially very large number of Home Depot stores.

It’s an unhappy coincidence then that these data breaches are coming out into the open just as we name Target’s data breach last year as the “most epic privacy failure.”

It’s been a rough year for Target, whose breach last December has come to define the recent spate of payment card data thefts at retailers around the US.

We selected Target along with four other big-time privacy fails and put the question to Naked Security readers – what’s the most epic privacy failure of the past year?

In response to our poll, readers picked Target with 37.3% of the votes.

Second-place Adobe – which suffered a data breach in October 2013 that compromised 150 million customer records – gathered 32.1% of votes.

Our other contenders for the most epic privacy fail were:

  • Snapchat’s big lie in promising that “snaps” taken with the app would “disappear forever” got 13.2% of the votes
  • The Google “Glasshole” who recorded non-consenting patrons at a San Francisco bar – people that asked not to be recorded – and shared the recording with the world, got 9% of votes
  • And the misinformed frenzy over fictitious predators lurking within the children’s app Talking Angela got 5% of votes

Some readers of our poll – about 3% – submitted an assortment of other privacy issues. The NSA received multiple mentions, not only for breaching our privacy, but also for allowing its own privacy to be breached by Edward Snowden.

How we picked the Top 5

Top 5 epic privacy fails (click to download as a PDF)
Top 5 epic privacy fails (click to download as a PDF)

We heard from some readers who questioned our inclusion of the Talking Angela hoax in our list.

To understand our reasoning, you could think about it this way: the Talking Angela freak-out was a collective failure to understand the real privacy risks we face today.

When millions of people put aside common sense and swallow the absurd idea that there is a pedophile hidden in the eyes of the cat in the Talking Angela app, a false-positive privacy fail of epic proportions is under way.

The victims of this hoax were the developers of Talking Angela, who were accused of abetting child abuse.

The other choices presented in our poll should be more obvious.

Adobe’s breach could easily be considered the most epic, because the list of its bad practices in storing user passwords was about as long as Target’s list of missed opportunities to prevent its own data breach.

And because Adobe leaked names, crackable passwords and unencrypted password hints, any cracked passwords could be used again and again by criminals looking to break into victims’ online accounts.

Snapchat’s sin was its lack of transparency and outright lying to make users think they were safely sharing private messages when those messages were anything but secure.

The Glass-wearing woman who showed such disdain for the privacy rights of others is an appropriate stand-in for any company or individual who thinks consent before sharing (or “opting in”) is an outdated concept.

And then there’s Target.

Is Target’s fail a fair choice?

Target has suffered extensively for the security blunders and missed warnings that contributed to the data heist.

The company has paid out more than $236 million to recover from the breach – and that doesn’t include the price of lost profits or declining stock value.

One after another the data breaches come, and the popular question becomes “is it the next Target?” and “was this the same crew that hit Target?”

Target’s massive breach of 40 million payment card numbers and 70 million other customer records has become a measuring stick for the larger problem of data insecurity and consumers’ shrinking privacy.

Is it fair to single out one failure among a list of many similar breaches?

We think Target is a worthy choice because the company had many opportunities to secure customer data and missed them until it was too late.

Even so, the privacy failures keep mounting, with some biggies in recent weeks.

Home Depot’s recent data breach might turn out to be bigger than Target’s, seeing that the company has more stores than Target, and may well have been breached for a lot longer.

And, in the wake of stolen nude photos from celebrities’ iCloud accounts, Apple has urged us all to secure our iCloud data by turning on two-step verification (2SV) – even though Apple’s own documentation makes it clear that 2SV doesn’t apply to iCloud access at all.

There’s plenty of fail to go around.

That’s why we think it’s time to stop and take notice of the different ways those whom we entrust with our privacy can fail us, and the ways we can fail ourselves.

5 tips to protect your privacy and identity

  1. Create unique, strong passwords for all your online accounts: use at least 14 characters, including a mix of letters, numbers, special characters, and upper/lowercase. Better yet, use a password manager like LastPass to generate random passwords. Remember to password-protect your mobile devices as well.
  2. Use two-factor authentication (also called two-step verification) where possible to add an extra layer of security for your accounts.
  3. Go over your bank statements the same week you receive them in case of any rogue charges.
  4. Review your Facebook settings to make sure you aren’t sharing more than you thought with people you don’t know.
  5. Log out of websites (yes, including Facebook and Twitter!) when you aren’t using them to reduce the chance of being tricked into posting or liking by mistake.

Want to know more about the Home Depot breach and other hot privacy topics in the news? Listen to our latest security podcast, featuring Sophos experts and Naked Security writers Chester Wisniewski and Paul Ducklin.

(Audio player above not working? Download the MP3, or listen on Soundcloud.)

Image of target with darts courtesy of Shutterstock.