• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Information about recent retail data breaches in the United States: an FAQ

Information about recent retail data breaches in the United States: an FAQ

  • Posted on:January 14, 2014
  • Posted in:Industry News, Security
  • Posted by:Christopher Budd (Global Threat Communications)
0

Updated February 12, 2014 with additional information about Target, Neiman Marcus, Michael’s and White Lodging

Overview:

Since December 2013, there have been a series of data breaches affecting retail stores in the United States. Because of the number of different breaches being disclosed in a short amount of time and the differing details of each, this situation is confusing. To help you better understand what’s going on, what this might mean for you, and what you should do, we’ve put together a list of Frequently Asked Questions (FAQ) to break out the issues and explain them for you.

What are the retail data breaches in the United States?

The retail data breaches in the United States are an ongoing series of announcements of credit and debit cards and customer information that have been stolen from retail outlets in the United States. The specifics vary with each retailer’s data breach but overall these breaches involve the loss of credit and debit card information and/or customer personal information.

Who are the retailers involved?

Currently we have information on four major retailers affected by this.

  • Target: On December 19, 2013, Target announced  a data breach affecting 40 million in-store whose credit and debit card information was stolen.  On Friday January 10, 2014, Target announced that personal information of up to 70 million individuals was lost in the data breach they originally on December 19, 2013.
  • Neiman Marcus: On January 10, 2014, it was reported that Neiman Marcus had some of their in-store customers’ credit and debit card information stolen. On January 22, 2014, Neiman Marcus officially confirmed the data breach.
  • Michaels: On January 14, 2014, it was reported that the banking industry was tracking a pattern of fraud involving credit and debit cards used at Michaels stores. On January 25, 2014, Michaels officially confirmed that an investigation of possible data breach was in progress.
  • White Lodging: On January 31, 2014, it was reported that there was a possible data breach affecting White Lodging who runs hotel franchises under the Hilton, Marriott, Sheraton and Westin brands among others. The report claimed that the breach affected customers of gift shops and hotels within the hotels and that customer credit and debit card information was lost. On February 1, 2014, Marriott confirmed the investigation and clarified that they and their systems were not affected. On February 3, 2014, White Lodging confirmed  the data breach in a statement.

With all these data breaches in the news at once, it sounds like there’s a big coordinated attack against retailers, is that the case?

The simple answer is we just don’t know. All of these are active investigations and data breach investigations take time. Until these investigations are completed, we won’t really know for sure what’s going on. Saying anything would be groundless speculation.

Why is it taking so long to get information? Shouldn’t they easily know what happened and who’s affected?

Investigating data breaches is a very meticulous process. If you’ve ever seen shows like “CSI,” you’ve seen how forensics investigations are a careful scientific process. The same is true for computer forensics: investigators have to methodically investigate point-of-sale terminals, servers, network equipment, firewall logs, and databases among other things. And as we’ve seen with the Target data breach alone, these investigators have to comb through hundreds of millions, if not billions, of records. And they have to do this in a way that is documented appropriately to withstand the challenges that may be raised in a criminal trial.

I’m not a customer of any of these stores. Is there anything I should do?

With multiple retailers affected and the possibility that other retailers may announce they’ve been affected it makes sense to be proactive about this situation. Specific steps you should take include:

  • Check your credit report for unauthorized or unusual activity.
  • Review your credit card statements. Because some of these events appear to have happened months ago, it’s a good idea to review statements for all of 2013 if you can.
  • Keep the operating system and applications/app on your computers and devices fully up-to-date.
  • Run a mature, multi-layered security suite like Trend Micro Titanium.
  • Consider getting credit monitoring and identity theft protection to provide real-time monitoring for any fraudulent, unauthorized or unusual activity.

I live outside the United States, could I be affected?

Yes, if you visited the United States and shopped at the any of the affected retailers and paid with a credit or debit card during the timeframes that they’ve outlined, you could be affected. In particular, people in Canada and Mexico who travel to the United States for shopping could be affected by this.

I shopped at one of the retailers affected by a data breach but have a chipped card or smart card, could I be affected?

Yes. Credit and debit cards with a chip that requires use of a personal information number (PIN) (often called “chip and pin” cards) are only better protected than traditional credit cards when they are used with a chip and pin reader. When used with a traditional credit card reader like these retailers use in the United States, these cards function just like traditional credit cards and so are as much at risk as non-chip and pin cards.

Target

On Friday January 10, 2014, Target announced that personal information of up to 70 million individuals was lost in the data breach they originally announced on December 19, 2013.

Is this a new data breach?

No. According to Target, this is not a new data breach. Target says this information was stolen as part of the data breach that they originally announced in December 2013.

But Target is saying new data has been lost, right?

That’s right. While they’re saying there wasn’t a new incident, they are saying that they now understand that more data was lost in the December incident than they previously thought. To use an everyday analogy, burglars broke into their house only once in December. But in addition to the TV that Target knew was stolen then, they’ve also discovered that the burglars also took a laptop.

What data did Target say was lost in the original announcement in December 2013?

Target announced in December that credit and debit card information of up to 40 million people who shopped in stores in the United States between November 27, 2013 and December 15, 2013 was stolen.

I shopped at Target online but not in-store, am I affected?

According to Target, no. This data breach only affects in-store shopping.

How is this new data loss different from what Target announced in December?

With this latest announcement, Target is saying that personal information of up to 70 million customers was also lost. This loss is different because its a different set of data: it’s personal information instead of credit and debit card information. And it’s a separate pool of affected people: its 70 million people instead of 40 million people.

What’s the relationship between the two Target data losses? If I was one of the 40 million people affected by the data loss announced in December 2013, am I affected by this one?

You might be. However, we just don’t know for sure.

Target hasn’t said that there’s any relationship between the two data losses other than they happened as part of the same data breach.  Reports indicate there is some overlap, meaning some customers are affected by both data loses. But reports indicate that a total of over 100 million customers may be affected by both incidents. The Washington Post notes this means that up to 1/3 of households in the United States may be affected by this situation.

What information was lost in the January 2014 Target data loss?

According to Target, the data lost includes names, mailing addresses, phone numbers, or email addresses for customers.

What could someone do with all this information? How serious is each data loss? How concerned should I be?

The December 2013 data loss involves credit and debit card information. That information can be used to make fraudulent purchases. In fact, this has been happening already for weeks or months. If you are affected by this data loss, it’s very serious and you should be very concerned.

The January 2014 data loss involves personal information but doesn’t include critical information like your social security number. Target also reports that in some cases the information is partial, meaning it may be just your name and email address but nothing else.  It’s not enough information by itself to enable full identity theft. But it can be combined with other information for identity theft.

What is Target doing about this?

Target has said that in response to the December 2013 data loss they will offer free credit monitoring and identity theft protection for all customers who shopped in their stores, not just those 40 million customers whose credit and debit card information was stolen. However, so far, Target has NOT indicated that they will make credit monitoring and identity theft protection available for anyone affected by the January 2014 data loss. 

Where can I learn more about the credit monitoring and identity theft protection Target is offering?

You can learn more about the credit monitoring and identity theft protection that Target is offering at this page.

I’ve gotten a notification from Target that I’ve been affected what should I do?

First, you should not click any links in any email notification or give any personal information on an in-coming phone call. With these incidents gaining broad attention, they’re now prime candidates for spam/phishing/telephone fraud. If you receive a notification, you should first take steps to verify that the notification is legitimate. Official notifications will be backed up by information on the company’s websites and through the customer service organizations. If you receive a notification, you should visit their official web page and/or call their official customer support lines to start the process.

I shopped at a Target store between November 27, 2013 and December 15, 2013 but haven’t been told I’m affected, should I do anything?

Yes. Target is offering credit monitoring and identity theft protection for all customers who shopped in their stores during that window, regardless of whether they were part of the 40 million affected or not. If you shopped at Target during this time, and you don’t already monitor your credit, you should take advantage of their offer for extra protection.

I’m a Target customer, but I didn’t shop at a Target store between November 27, 2013 and December 15, 2013, and haven’t been told I’m part of the 70 million affected by the January 2014 data loss. Is there anything I need to be concerned about?

Possibly. You may be part of the 70 million affected by the January 2014 data loss and not know it. Target has indicated that they will contact people affected by that data loss to the best of their ability. But they may not have enough information to be able to notify you. If you’re a Target customer and haven’t been notified that you’re affected it is still a good idea to watch for any suspicious activity.

Where else should I look for more information about this?

In addition to this FAQ, you should read Target’s official FAQ. Target has also put together a central information hub that collects information and resources related to this situation.

Neiman Marcus

What is going on with Neiman Marcus?

It was reported on Friday January 10, 2014 that the United States Secret Service was investigating fraudulent changes that in-store Neiman Marcus customers were seeing after shopping there in December 2013. Neiman Marcus confirmed the report on Saturday January 11, 2014.

What has Neiman Marcus said about their data breach?

In their statement, Neiman Marcus outlined that the data breach occurred from July 16, 2013 until October 30, 2013. During that time up to 1.1 million credit and debit cards may have been at risk of theft. As of the time of their statement they had confirmed that approximately 2,400 cards had been used fraudulently.

I shopped at Neiman Marcus online but not in-store, am I affected?

According to Neiman Marcus, no. This data breach only affects in-store shopping.

What could someone do with this information? How serious is this? How concerned should I be?

This data loss involves credit and debit card information. That information can be used to make fraudulent purchases. In fact, this has been happening already for months. If you are affected by this data loss, it’s very serious and you should be very concerned.

What is Neiman Marcus doing about this?

Neiman Marcus has said that they offer all customers who shopped between their stores between January 2013 and January 2014 a year’s free credit monitoring and identity-theft protection. They have also indicated that they will try to contact all customers who shopped in their stores during this time that they are able to.

Where can I learn more about the credit monitoring and identity theft protection Neiman Marcus is offering?

You can learn more about the credit monitoring and identity theft protection that Neiman Marcus is offering at this page.

I’ve gotten a notification from Neiman Marcus that I’ve been affected what should I do?

First, you should not click any links in any email notification or give any personal information on an in-coming phone call. With these incidents gaining broad attention, they’re now prime candidates for spam/phishing/telephone fraud. If you receive a notification, you should first take steps to verify that the notification is legitimate. Official notifications will be backed up by information on the company’s websites and through the customer service organizations. If you receive a notification, you should visit their official web page and/or call their official customer support lines to start the process.

Where else should I look for more information about this?

In addition to this FAQ, you should read Neiman Marcus’s official statement and FAQ.

Michaels

What is going on with Michaels? I heard they’ve confirmed a data breach investigation is under way like with Target and Neiman Marcus data breaches.

On January 14, 2014, it was reported that the banking industry was tracking a pattern of fraud involving credit and debit cards used at Michaels stores. On January 25, 2014, Michaels officially confirmed that an investigation of possible data breach was in progress.

What has Michaels said about their data breach?

At this point, they’ve only confirmed that an investigation of a possible data breach is in progress. There is no other information about this data breach from Michaels at this time.

I shopped at Michaels and am concerned, is there anything I can do now?

Right now, if you shopped at Michaels and are concerned about this situation you should follow the best practices outlined at the beginning of this FAQ.

Where else should I look for more information about this?

In addition to this FAQ, you should read the page Michaels has put up with more information.

White Lodging

Who is White Lodging?

White Lodging is an independent hotel management company that operates hotels as a franchisee of those hotel brand companies. Brand companies they are franchisees for involved in this situation include Holiday Inn, Marriott, Radisson, Renaissance, Sheraton, and Westin.

What is going on with White Lodging?

On January 31, 2014, it was reported that there was a possible data breach affecting White Lodging who runs hotel franchises under the Hilton, Marriott, Sheraton and Westin brands among others. The report claimed that the breach affected customers of gift shops and hotels within the hotels and that customer credit and debit card information was lost. On February 3, 2014, White Lodging confirmed  the data breach in a statement.

Does White Lodging know which specific hotels are affected?

Yes. They have provided a list of specific hotels that were affected on their FAQ page.

What has White Lodging said about their data breach?

In their FAQ page, White Lodging confirmed that customer credit and debit card information was taken from several hotels from March 20, 2013 until December 16, 2013. In most cases the data was taken from food and beverage stations within the hotels. In one case they believe the property management system was involved as well.

I stayed at of these hotels but didn’t buy anything from their food and beverage stations in the hotel am I affected?

According to White Lodging, no, with the possible exception of the one hotel who’s property management system was affected. Most notably, at this time, the issue appears to not affect these hotels reservations systems, nor those of White Lodging or the hotel brands (Marriott, Sheraton, etc).

What could someone do with this information? How serious is this? How concerned should I be?

This data loss involves credit and debit card information. That information can be used to make fraudulent purchases. In fact, this has been happening already for months. If you are affected by this data loss, it’s very serious and you should be very concerned.

What is White Lodging doing about this?

White Lodging says they are working with credit card companies and banks to monitor or take other action to protect cards affected in this incident. White Lodging says they will also provide free credit monitoring and identity theft protection for those affected. It’s important to note in this case that White Lodging will NOT be contacting those affected: they say that they do not have the means to contact card holders.

Then how do I know if I’m affected?

White Lodging’s page is directing people with questions about whether they’re affected or not to the banks that issued your credit cards. For example, if you used a credit card at one of the affected hotels issued by Bank of America, you would contact them.

Where can I learn more about the credit monitoring and identity theft protection White Lodging is offering?

You can learn more about the credit monitoring and identity theft protection that White Lodging is offering at this page.

I’ve gotten a notification from White Lodging that I’ve been affected what should I do?

Ignore it: it is not legitimate. White Lodging has made clear that they will not be contacting those affected. Based on this, you should assume any contact about this situation from someone claiming to be from or representing White Lodging is lying.

Where else should I look for more information about this?

In addition to this FAQ, you should read White Lodging’s official FAQ page.

 

Related posts:

  1. What You Need to Know about the P.F. Chang’s Data Breach
  2. It’s Time for You to Get Real Time Identity Theft Monitoring
  3. The Trouble With Retail: Analyzing a Decade of Data Breaches
  4. SMB vulnerabilities overlooked in focus on big retail breaches

Security Intelligence Blog

  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts
  • Mirai Botnet Exploit Weaponized to Attack IoT Devices via CVE-2020-5902
  • Ensiko: A Webshell With Ransomware Capabilities

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Robots Running the Industrial World Are Open to Cyber Attacks and Industrial Protocol Translation Gone Wrong
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • ISO/SAE 21434: It’s time to put the brakes on connected car cyber-threats

Follow Us

Trend Micro In The News

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.