With scarcely a week to go before Christmas 2013, Target announced that those who had swiped a card there since Black Friday may have had their card information lifted by data thieves. The Target debacle is generally considered the beginning of a particularly rough year, which saw Neiman Marcus, Michaels, Home Depot and other major retailers and restaurants get hacked. Already, in the first days of 2015, Chick-fil-A has announced it’s investigating a potential breach.
Here’s a run-down of some of the other biggest data breaches to occur since Target:
- Just after the new year, Neiman Marcus announced its customers had also been compromised in a hack that spanned three months.
- On Jan. 25, 2014, crafts supply chain Michaels admitted it was also investigating a data breach.
- On Jan. 31, security blog Krebs on Security broke the news about a breach at various Marriott hotels operated by White Lodging Services Corporation.
- On June 9, stolen credit and debit card data from cards used at P.F. Chang’s showed up on an underground site notorious for selling stolen card info.
- On Aug. 15, the parent company of Jewel-Osco (AB Acquisition LLC) announced that customers’ credit card data had been compromised at some stores.
- On Sept. 9, Home Depot confirmed it had been hacked in a breach that could go back as far as April.
- In Dec. 2014, women’s clothing retailer Bebe announced an attack on its stores in the U.S., Puerto Rico and U.S. Virgin Islands that took place between Nov. 8 and Nov. 26.
- Rumblings about a breach at Staples were first heard in October, and Staples confirmed the breach on Dec. 19. At most of the 115 affected stores, the malware had access to consumer data between mid-August and mid-September.
Whenever a new breach is announced, there tends to be a lot of speculation about what kind of data was stolen. Here’s a summary of what is known (we’ll be updating this post as more information becomes available) — and what you need to know about the free credit monitoring that breached retailers have offered to victims.
|Data breaches: What we know|
|How it happened||When it happened||Number affected||What was taken||What they're doing about it|
|Target||Malware installed on point-of-sale (POS) terminals. Hackers gained access by using stolen contractor credentials.||Nov. 27, 2013 - Dec. 15, 2013||Up to 70 million customers (40 million cards)||Credit/debit card numbers, CVV, encrypted PINs, names, mailing addresses, email addresses, phone numbers||Offering one year of free credit monitoring via Experian to customers who shopped during breach. Target is also switching all its REDcards over to chip and PIN in early 2015.
Target has a FAQ on the issue.
|Neiman Marcus||Malware installed on POS terminals. Hackers gave the malware a name nearly identical to that of the payment software, to help it go undetected.||July 16, 2013 - Oct. 30, 2013||350,000 customer cards; 9,200 cards known to be used fraudulently||Credit and debit card numbers||Offering one year of free credit monitoring via Experian for customers who shopped between Jan. 1, 2013 and Jan. 1, 2014.
Neiman Marcus has a FAQ on the issue.
|Michaels||Malware on POS systems at Michaels and subsidiary Aaron Brothers||May 8, 2013 - Jan. 27, 2014||Up to 2.6 million cards||The systems that were hacked contained debit and credit card numbers and expiration dates.||Free credit monitoring and identity protection via AllClear ID for affected customers
Michaels is providing updates here.
|White Lodging||Malware installed on POS terminals at the food and beverage outlets of 14 hotels||March 20, 2013 - Dec. 16 2013||Unknown||An unknown number of debit and credit card numbers, names of cardholders, security codes, card expiration dates||Offering one year of free identity theft protection form AllClearID to those who used a credit or debt card at any of these hotels between March 20, 2013 and Dec.15, 2013.
White Lodging is providing updates here.
|P.F. Changs||Still being investigated||Oct. 2013 - June 10, 2014||33 restaurants affected. Number of cards unknown||Debit and credit card numbers; cardholder names; expiration dates.||Temporarily used manual credit card imprinting devices at all U.S. locations. One year of identity theft protection for all customers potentially affected. Has established a hotline to answer questions (1-877-412-7152).
P.F. Chang's is providing updates here.
|Jewel-Osco||Computer hacking||June 22, 2014 to July 17 2014||Unknown||Credit card and debit card payment information.||12 months of free ID protection services from AllClearID for affected customers
Jewel-Osco is providing updates (as well as stores affected) here.
|Home Depot||Stolen credentials from third-party vendor, malware installed on self-checkout systems||Home Depot announced breach Sept. 9. Suspects it could extend back to April.||56 million debit and credit cards, 53 million customer email addresses||Debit and credit card numbers, email addresses, NOT PINs||Free ID protection services, including credit monitoring, to customers who used a card at Home Depot store since April 2014. Plans to roll out chip and PIN to all U.S. stores by end of the year.
Home Depot is providing updates here
|Bebe||Still being investigated||Bebe announced breach on Dec. 5, 2014. Breach occurred between Nov. 8, 2014 and Nov. 26, 2014||Unknown||May have included cardholder name, account numbers, expiration date and verification code||Free credit monitoring for one year to customers who made a purchase during the breach.
Bebe is providing updates here.
|Staples||Malware on POS||Aug. 10-Sept. 16 at most of the affected stores. July 20-Sept. 16 at two of the stores.||1.16 million payment cards. 115 stores.||Cardholder names, card numbers, expiration dates, card verification codes.||Free credit monitoring.
Details and list of affected stores here.
Data breaches through the years
Although they’re making headlines now, the most recent breaches aren’t the first — or the biggest. Information Is Beautiful has in interactive graphic that shows the biggest breaches in history. It proves that even the giants of retail, banking and payment processing can be brought down by a handful of hackers.
Here are some of the retailers that have been compromised over the past several years:
Now, about that free credit monitoring …
The businesses involved in the most recent data breaches (Target, Neiman Marcus, White Lodging and Michaels) are offering up free ID theft protection and credit monitoring to affected customers. But what is that, exactly?
Basically, these services keep tabs on your credit and personal information, informing you if new accounts are being opened in your name or if your information (Social Security number, PIN, etc.) pops up in the list of information stolen in a data breach. If you were to purchase these services on your own, you’d be paying about $15 a month. So these retailers providing it for free for up to a year for each affected customer seems like a generous gesture.
But here’s what credit monitoring and ID theft protection don’t do: They don’t prevent thieves from using your stolen card number to make purchases or create duplicate cards. In fact, because using stolen card info doesn’t require the thief to open new credit in your name, those fraudulent purchases won’t turn up on your credit reports — so any service monitoring your credit will be blind to them. As an informed consumer you have to realize that retailer or bank offers of credit monitoring are in fact a PR gesture meant to protect their image and not a true panacea for protecting your security interests. Sadly, the ball is in your court when it comes to guarding your credit.
In reality, the only way to truly protect yourself against fraudulent purchases is to keep an eye on your transaction history and ask your bank to cancel your card and issue you a new one with a different number. A good tactic for keeping tabs on your transactions in near-real time is to set up email or text alerts with your card – this only takes a few minutes and gives you immediate feedback every time your card is used, so catching unauthorized purchases becomes much more feasible. To their credit, Citi and Chase proactively cancelled and reissued all debit cards involved in the recent Target breach, but they were the exceptions and not the rule. If you have a credit card, you might consider asking your issuer if it provides cards with chip and signature technology. These cards encode information differently with each transaction (making it harder for thieves to use the data they steal) and are tougher to clone — although they won’t protect you much until retailers start investing in terminals that accept smart chip technology. Yet, the fallout from these breaches could motivate them to do so. Target intends to update its system by early 2015, according to its CFO’s Senate Judiciary Committee testimony on Feb. 4, 2014. The retailer also announced in May 2014 that it would be updating all its REDcards to chip and PIN in early 2015.
So are these free monitoring services any good? For some they may be — namely, those who fell for phishing scams in the wake of the breaches. If your contact information was stolen (and contact information was stolen in the Target breach), you could be getting calls, texts and emails from scam artists pretending to be from either the retailer or the bank that issued your debit or credit card. They might ask you for the information they didn’t get in the breach, such as your Social Security number (which Target and Neiman Marcus insist the thieves did NOT get) under the guise of protecting you. Problem is, your Social Security number is the key to your identity — and exactly what thieves need to open new credit in your name. It’s important to note that retailers and banks never make these types of inquiries, so be assured any you get are fraudulent.
If you offered up your information to one of these scam artists, that’s where the free credit monitoring would come in handy. The service would let you know about any changes to the information on your credit reports, including new accounts. If new accounts start popping up, you’ll have to take more steps, including placing fraud alerts with the credit bureaus or even locking your credit down completely with a credit freeze.
Tell us in the comments: Have you found unauthorized card purchases on your statement since any of these breaches? And have you changed your shopping behavior in light of them? A recent Associated Press poll suggests that not many consumers have.
This post was updated on Dec. 22, 2014.