By now, word of Target's breach has become the subject of interest at the water cooler and in the break room. It's a good bet that some of the staff have come to the security team (or IT pulling double duty) with questions.
So, in the spirit of making things easier for those of you in the trenches, here's a brief email you can blast to the company that'll cover the basics of Target's breach and answer some of the common questions.Background:
As you may have heard, Target recently confirmed a security incident, in which criminals accessed data for up to 40 million credit and debit cards. As the news reports have noted, the risk is that criminals may create cloned cards, and use the compromised card data to make fraudulent purchases.
The incident itself took place between November 27 and December 15, 2013. So if you did any holiday shopping at Target during this time, you may be impacted by this theft. Also, only those who were physically in a Target store on these dates are potentially involved. Shoppers in Canada or on Target.com did not have their information accessed.
Target says that the data accessed by the criminals includes you name, credit card / debit card number, expiration date, and CVV. However, Target's language, during the first wave of details released to the public, wasn't clear on what CVV data entails.
They've since clarified, but it is important that you understand that the criminals accessed a code used during the approval of a physical transaction - known in the retail industry as CVV1, and not the security code on the back of your card, which is known as CVV2.Next Steps:
It's important that Target's security problems do not cause you any undue stress.
While the incident is serious, consumer protection laws in the U.S. mean that you are not liable for fraudulent charges to your credit card due to this incident. Again, you have ZERO liability. With that said, debit cards are a bit different, and you should talk to your bank about any liability. Most banks will say zero liability; others may set a limit of $50 or so.
Also, if you were visiting the U.S. and shopped with Target during the aforementioned timeframe, you'll need to speak with your financial institution about options, but odds are you're covered too, and won't be held liable for fraud.
If you notice charges that you didn't make appear on your bank or credit card statement, report them immediately by contacting the bank that issued the card, and they'll help you get things sorted. If you have a Target REDcard and notice suspicious charges, then you'll need to contact Target directly at 866-852-8680.
Again, only your name, card number, expiration date, and CVV1 data was compromised. The criminal(s) behind the attack on Target didn't get anything else about you. So there is no risk to your Social Security Number, address, phone number, date of birth, etc.
Finally, Target will offer you free credit monitoring for one year, if you want to take advantage of it. They say they'll be reaching out to you directly in the coming weeks once the service has been set up. However, from the way things were worded, only U.S. residents will be eligible for the monitoring services.What not to do:
Do not cancel your credit or debit cards due to this incident. You don't need to. All of the major banks are aware of what happened at Target. For example, PNC Bank is already issuing notices to customers offering them additional information, but if you're concerned call your bank and they'll help you get things taken care of.
While being aware of the potential risk created by Target's incident makes sense, panic does not. Keep an eye on your statements, and report anything that looks suspicious. Again, you have ZERO liability for fraudulent charges to your credit card, and in all likelihood, the same will apply to your debit cards. Just speak to your bank.