As you may have read over the past several hours, Target Corp. just admitted that thieves, hackers or maybe disgruntled employees made off with possibly 40 million credit card numbers and related information, including those belonging to possibly anyone/everyone who used a credit card, Target store card or debit card at Target between Nov. 27 and Dec. 15.
I have checked our credit card statements and found that, sure enough, we made the mistake of shopping at Target in between those ill-fated dates. That mistake shall not be repeated.
But no worries, says Target Chief Executive Officer Gregg Steinhafel, adding “Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause.”
I hope Mr. Steinhafel will pardon me for saying so, but my trust was and remains spoiled, and I no longer will be shopping at Target, with or without confidence.
Here’s a question I have for Mr. Steinhafel: What were you doing with a giant database containing the credit card information belonging to me and 39,999,999 other people in the first place?
When I shop online, it is standard procedure for the retailers to ask whether I would like them to save my credit card information so it will be easier, smoother, quicker to buy something there the next time. I always tell them Hell no! (As a former executive of a database applications company, I have observed first-hand many of the pitfalls involved with the storage of sensitive information, starting with corporations that hire security and computer programming contractors based on their good suits, firm handshakes and shiny marketing campaigns rather than on their demonstrable track records, detailed project bids and recent references. Simply put, I do not trust any retailer with my credit card information, and would never give my permission to any of them to store it.
Never, in the unfortunate many times I have shopped at Target, have they asked me, after a purchase, if it would be OK for them to keep my credit card information in the system to make my buying experience more zippy next time. I checked with my wife, and they never asked her, either. So I repeat my question for Mr. Steinhafel: If online stores have to obtain permission before storing customers’ credit card information, why is it you seem to think it’s OK for Target just to take that same information and store it, without seeking permission?
Here’s the answer I have in mind: It’s not OK.
So when Mr. Steinhafel says he and his fellow execs “have moved swiftly to address this issue, so guests can shop with confidence,” I reply that the only possible method of addressing “this issue” in a manner satisfactory enough to even tempt me back into one of your stores would be to read that you have dismantled your database containing my credit card information, and digitally and securely shredded all the database files.
And even under those conditions, I really doubt I’d shop at one of your stores again unless it was an emergency – like I’d just put a gash in my hand and needed a bandage – and I could pay with cash.
As a parting note, just let me add that this blog post serves as legal notice that you specifically do not have my permission to keep and store information regarding my credit card or anything else about me.
Update: Well, that didn’t take long. According to computer security expert and former Washington Post reporter Brian Krebs (who broke this hacking story in the first place), the stolen credit card info has flooded black markets worldwide. Gee, thanks Target!
Update 2: OK, it looks like Target did at least violate credit card regulations in storing some or all of 40 million customers’ credit info in a private database, as revealed deep in this story speculating that the hack attack had inside help:
The fact that CVV codes were stolen was a red flag for John Kindervag, analyst for Forrester Research, who said it was an indication that Target may have had a serious security flaw.
If CVV data were stored, then that would have been a violation of the Payment Card Industry Data Security Standard (PCI DSS) that financial institutions require of businesses accepting credit cards. In addition, if the data wasn’t encrypted, then that could also run against the standard.
Grumpy old man out.