Target's 'We've Been Breached' sale is a little cynicism for the holidays

A sale, right before Christmas? What an extraordinary step for a retailer to take! And that hefty 10% off is available to everyone. Target's millions of breach victims must be feeling very special.

Contributing Columnist, Computerworld |

Data breaches can happen to anyone. One just happened to Target, which announced that data involving some 40 million credit cards had been accessed. What really matters is how a company handles a breach.

Overall, Target seems to have handled things as well as most other companies in the same tough spot. That said, it has nonetheless taken a serious breach and cynically tried to turn it into an opportunity for profit. It's not the first company to do this, but let's hope it's the last.

On Friday, Target CEO Gregg Steinhafel announced a "Data Breach Sale," encouraging people to come back to Target, spend more money and give up more payment information. There are two things that make me call this cynical. First, a 10%-off sale, running on Dec. 21 and Dec. 22 (the Saturday and Sunday before Christmas), seems like something a savvy retailer like Target might have already planned to do, with or without a headline-grabbing data breach. Second, what does this do for the actual victims of the breach? They got the privilege of paying a mere 90% of the marked price if they shopped at Target this weekend, but so did everyone else.

Steinhafel's rationale? He said the universal discount was in the "spirit" of "we're in this together."

Keeping Christmas merry for Chase

When credit or debit card numbers are accessed by thieves, the typical procedure, for quite a few years, has been to shut down the affected cards and immediately issue new ones to the cardholders. Thieves know that once a breach has been discovered, they may have as little as an hour before the card data becomes worthless. That's why they use lots of accomplices to make simultaneous purchases and withdrawals, so they can monetize the stolen data while it's still worth something.

But that standard procedure has been radically modified in the case of the Target breach. JPMorgan Chase on Saturday announced that it would limit affected Chase debit cardholders to $100 in cash withdrawals and $300 in total purchases per day. Why limit the cards instead of shutting them down? It's all about the calendar.

Bankers know that for retailers (and by extension, for bankers themselves), any day in December is generally worth far more than any day in March or June. If Chase took the normal path of shutting down those millions of affected cards, the cardholders would have to finish up their Christmas shopping using other payment methods, as they wait anywhere from two days to a week for the replacement card to arrive. Does Chase want to be shut out from its share of so many last-minute holiday purchases? Apparently not, and so it decided to allow some purchasing to go ahead, while putting a limit on the absolute total loss it could suffer through fraud.

I'm expecting that come Christmas Day, when the nation's cash registers have stopped smoking, Chase will indeed reissue the cards.

The sheer volume of the Target attack could be another factor in the decision. Target said that some 40 million cardholders were affected, and Chase puts its share of those at over 2 million. That's a lot, and historically, data breach numbers have risen after their initial announcement. The process of reissuing so many cards is daunting and may have given Chase an incentive to hold off a bit.

Then there's the honeypot theory. One Chase fraud customer service employee was willing to speculate that the bank hopes that its card downgrade will serve as an after-the-fact honeypot. By publicly saying that Chase will keep these accounts open, this theory argues, the bank may be trying to lure the thieves into risking stolen-data monetization beyond the usual one or two hours.

This would be highly risky for the thieves and, given the sophistication and coordination of the attack, it seems unlikely they would fall for it. With stores on high alert for anyone using the stolen data, security personnel would be poised to immediately detain anyone using such data. ATMs would be only minutely safer. On the other hand, not shutting down the cards allows scams like this location-sorted cardholder routine to work.

Is Chase's decision too big a security risk? Perhaps, but it may not be alone -- and it may not even be the biggest risk-taker. CNBC reported that Citibank "was also imposing limits on debit cards for affected customers if it sees suspicious activity, though the extent of those limits was not immediately clear." Wait a second. This is an order of magnitude riskier, if true.

When a major retail data breach happens, the list of affected card data should include everyone whose data was accessible to -- not necessarily accessed by -- the thieves. Think of it this way: If a thief has broken into a room filled with unlocked file cabinets, the only safe assumption is that the thief might have accessed each and every file there.

What Chase is doing is limiting the access of everyone whose data might have been touched. The CNBC report suggests that Citibank is doing nothing until there's some evidence that a customer's data is being used illegally. And then, despite that evidence, Citibank is just going to impose limits on the card, not shut it down. That's positively reckless. If there is any vertical that respects security policies and their rationale, it's banks. When a bank is willing to keep a security risk open deliberately to try and preserve revenue, you could say that it has internalized one version of the holiday spirit: profit at all costs. Or maybe Chase and Citibank executives are just hoping the thieves don't want to work the holidays any more than they do.

--Evan Schuman

Yes, except that the actual victims were definitely in it more than those people who didn't have their payment information compromised. How about doing something for the victims that they might actually appreciate -- like giving them partial refunds for what they had bought at Target when their data entered its soon-to-be-attacked systems.

Note to Target: When you screw up and fail to protect tens of millions of your customers, trying to use that screw-up as an upsell opportunity is not going to make customers trust you more.

A few other unsolicited tips for handling the breach aftermath:

We'll trust you when you show you can be trusted. Target, if you are going to announce that "the issue has been identified and eliminated," you should probably back that statement up with some facts. You offered zero details to back up either claim, so it was pretty much saying, "Trust me." That's exactly what those 40 million shoppers did when they used their payment cards in your stores, so you'll forgive them if they're hesitant right now to do it again.

If the issue has indeed been both "identified and eliminated," why not get specific? No need to go chapter and verse on every keystroke used, but a healthy heaping of details would go a long way toward convincing people that you've truly plugged the hole. The bad guys certainly already know where the hole was, and if you've truly plugged the hole, there's no security risk involved in telling others. Hold back a few details if you must, but by saying, "We've figured it all out and our system is now fine. Just fine. Nothing to see here. Just go back to giving us your money," you're really giving people reason to be even more suspicious.

1 2 Page 1 Next

Page 1 of 2

It’s time to break the ChatGPT habit