retail news in context, analysis with attitude

Some stories related to the Target data breach…

CNN reports that the Department of Homeland Security has distributed a warning to US retailers, telling them about sophisticated malware that potentially could affect a large number of stores. "The malware infects individual point of sale devices. It monitors data processed on the device, then transmits that data outside of the retailer," according to the story. And, CNN reports, at least part of the code is written in Russian.

• Meanwhile, the New York Times reports that "the computer network at Neiman Marcus was penetrated by hackers as far back as July, and the breach was not fully contained until Sunday, according to people briefed on the investigation … The company disclosed the data theft of customer information late last week, saying it first learned in mid-December of suspicious activity that involved credit cards used at its stores."

Neiman Marcus officials are saying they know of no connection between its breach and the one that took place at Target, and have not estimated how many customers may have been affected by its breach, though it appears to have gone on much longer.

• This week, customers have been receiving an email from Target CEO Gregg Steinhafel that reads as follows:

As you may have heard or read, Target learned in mid-December that criminals forced their way into our systems and took guest information, including debit and credit card data. Late last week, as part of our ongoing investigation, we learned that additional information, including name, mailing address, phone number or email address, was also taken. I am writing to make you aware that your name, mailing address, phone number or email address may have been taken during the intrusion.

I am truly sorry this incident occurred and sincerely regret any inconvenience it may cause you. Because we value you as a guest and your trust is important to us, Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian’s® ProtectMyID® product which includes identity theft insurance where available. To receive your unique activation code for this service, please go to and register before April 23, 2014. Activation codes must be redeemed by April 30, 2014.

In addition, to guard against possible scams, always be cautious about sharing personal information, such as Social Security numbers, passwords, user IDs and financial account information. Here are some tips that will help protect you:

• Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number.

• Delete texts immediately from numbers or names you don’t recognize.

• Be wary of emails that ask for money or send you to suspicious websites. Don’t click links within emails you don’t recognize.

Target’s email communication regarding this incident will never ask you to provide personal or sensitive information.

Thank you for your patience and loyalty to Target. You can find additional information and FAQs about this incident at our website. If you have further questions, you may call us at 866-852-8680.

KC's View:
I have to admit that I'm sort of underwhelmed by the Target email … and fascinated that I've gotten it in my email box, since the last time I used a debit card at Target was in September 2012. (I did an MNB piece about it that you can read here.)

I have this feeling that this is going to be an enormous hairball for retailers and consumers. And I think it is going to get worse before it gets better.