Shopping: The growing danger of retail hacks
This month big-box retailer Target revealed that up to 110 million customers’ personal information was hacked before the holidays.
“In the battle between hackers and retailers, it sure looks as though the hackers are winning,” said Joe Nocera in The New York Times. This month big-box retailer Target revealed that up to 110 million customers’ personal information—-including names, addresses, phone numbers, and PINs—was hacked before the holidays. Since then we’ve learned of breaches at Neiman Marcus and other U.S. merchants. Security experts have determined that the attack on Target was almost certainly the work of “extremely sophisticated” Russian hackers using malware that grabbed data at the “moment of maximum vulnerability,” when customers swipe their cards and their magnetic stripes “yield all the information the hacker needed.” The obvious fix is for the U.S. to do what virtually every other country in the world has done: switch to cards embedded with far more secure chips.
Multiple investigations into the hacks are underway at the federal and state levels, said Amrita Jayakumar and Hayley Tsukayama in The Washington Post. But whatever they find, there’s no doubt that you should “keep an eye out for any strange transactions” on your credit and debit cards. There’s no all-clear for data breaches of this nature: “Hackers who take big swaths of data like this sell them to criminals, so your information could stay on the marketplace for a while.” Target says it encrypted customers’ PINs before they were stolen, but “debit card users may want to take the precaution of calling their banks to get their PINs changed.” Report any fraudulent or suspicious charges to your bank or card issuer, and scrutinize any emails “that appear to come from your bank or Target.” Numerous reports have surfaced about phishing scams that masquerade as customer support in sometimes quite ingenious attempts “to trick people into parting with personal information.”
There’s still “no federal law that requires disclosure of security breaches,” said Pamela M. Prah in USA Today. But most states do require companies to inform consumers when their data has been compromised. California’s laws are the strongest, laying out a catalog of data breaches that companies are required to report. California has also passed laws requiring businesses to give more detailed disclosures about their privacy policies and what information they gather from online consumers. Given the number of security incidents we’ve seen lately, these are all laws “that other states are expected to consider this year.”