What to Do About the Target Data Theft
Scammers may have your credit-card and debit-card numbers, along with other personal information. Here’s how to protect your accounts.
As millions of holiday shoppers used their credit and debit cards on Black Friday and in the weeks following, malware installed on payment terminals at Target stores was busy collecting their personal information. Names, card numbers (including security codes), expiration dates and encrypted PIN data were compromised for about 40 million card accounts.
Separately—though it was part of the same breach—names, phone numbers, and e-mail and mailing addresses for as many as 70 million customers were also stolen. (Neiman Marcus reports that it suffered a hack over the holiday season, too, possibly resulting in unauthorized charges on some of its customers’ cards.)
Here are answers to questions you may have about the Target data theft, as well as other data breaches.
Will I be responsible for unauthorized charges?
Target is promising customers that they will not be responsible for any unauthorized purchases on their cards. Plus, anytime a thief uses your credit or debit card, you likely won’t be responsible for the damage as long as you take action quickly.
Legally, victims of credit card fraud are responsible for up to $50, but American Express, Discover, MasterCard and Visa all have zero-liability policies. With debit cards, your liability could be unlimited, depending on how long it takes you to report an unauthorized purchase. But banks usually refund fraudulent debit card purchases as long as you notify them shortly after you notice a problem (you’ll have to wait for the bank to replenish your account).
Should I ask for a new card?
Asking your bank or credit card issuer to send you a new card with a new number is the best way to nip potential theft in the bud. (Your bank may already be on top of it. Chase, for example, is reissuing about two million cards to affected customers.) And it’s especially a good idea if you suspect that your debit card data has been stolen, given that a debit card provides direct access to your bank account—and that its legal protections are less robust than those of a credit card.
As soon as you get your new card, notify any services—say, your electric utility or cable company—that charge automatic bill payments to the card so that you aren’t hit with fees for missed payments. If you do incur any fees, explain the situation to the company and ask to have them waived. Bill collectors may be more generous than usual in the wake of the breach.
What if I don’t get a new card?
If you decide to hang on to your card, keep close tabs on your bank or credit card account. For the first couple of months, log in daily to check for suspicious activity, suggests Beverly Harzog, a credit card expert and author of Confessions of a Credit Junkie. After that, try to check in about once a week. (A weekly check-in is a good habit to maintain for all of your bank and credit accounts, regardless of whether you think they’ve been compromised.)
Could I be scammed in other ways?
Target’s discovery that it also gave up customer names, e-mail and mailing addresses, and phone numbers presents another worry: phishing scams. Target says that it is aware of fake messages being sent to customers that appear to be from the company, and it has listed the text of all of its official communications on an informational page so that customers can verify that they’re receiving authentic messages.
Fraudsters could also piece together, say, your credit card number, name and e-mail address to create a convincing e-mail that appears to be from your financial institution, says Jody Farmer, vice-president of strategic marketing at CreditCards.com. Or scammers posing as agents from a business or government agency may e-mail you, call you or send text messages. If you’re not sure that a message is legitimate, don’t click on any links that it contains or give away personal information that it requests. Look up the institution’s phone number and call to verify that it contacted you.
Should I worry about my identity being stolen?
So far, the breach doesn’t appear to have involved key information, such as Social Security numbers, that thieves would likely need to open new credit accounts in your name, says Farmer. But it wouldn’t hurt to sign up for the free credit monitoring that Target is offering to all customers through its Web site. For a year, you’ll receive updates on any changes in your credit file through Experian’s ProtectMyID identity-theft protection service. The service includes a free copy of your Experian credit report as well as daily monitoring for any changes in it, such as new account inquiries or delinquencies.
If fraud pops up, an agent will help you through the next steps. ProtectMyID doesn’t ask for payment information when you sign up for credit monitoring through Target, so you don’t need to worry about your membership being automatically renewed—and your card charged—after a year passes. You can also check your credit reports from the three major bureaus—Equifax, Experian and TransUnion—free once a year at www.annualcreditreport.com.
I’m still nervous about ID theft. What else can I do?
You could place a freeze on your credit reports as a preventive measure, says Adam Levin, chairman and cofounder of Identity Theft 911. Lenders won’t be able to offer new credit in your name without your permission. You’ll have to request the freeze separately with each of the three credit agencies, and you may pay fees of up to about $10 each to freeze and thaw your files depending on your state and whether you’ve recently been a victim of identity theft.
Keep in mind that a credit freeze could cause delays if you expect to shop for new credit—say, a credit card or a mortgage. A less-drastic action is to place a fraud alert on your reports, which is free and requires lenders to take extra precautions to verify your identity before granting new credit. The alert lasts 90 days, and you’ll get a free copy of your credit report from each of the bureaus. If you set up an alert with one bureau, it will notify the other two.