In addition to Target and Neiman Marcus, at least three other unidentified retailers were also hacked in December and leaked their customers’ private information.
Target was the first major retailer to publicly announce that it had been hacked in mid-December. Its initial disclosure estimated that 40 million customers were affected, but Target recently updated this figure to 70 million. This past weekend, Neiman Marcus also announced that it was hacked at around the same time, but hasn’t yet released how many customers were affected. Just today, anonymous sources claim at least three other brick-and-mortar retailers, most likely those with a physical presence in shopping malls, have also been subjected to a cyber attack originating from Eastern Europe. While not yet conclusively established, the similarities between the attacks seem too similar to not be connected somehow.
Worst Case Scenario
If a store leaked enough of your personally identifiable information, then new accounts could be opened in your name. To protect against new accounts being fraudulently opened in your name, you can ask the three major credit reporting agencies to place a credit freeze on your reports. When frozen, if someone (including yourself) tries to open a line of credit, it will be denied, and the credit reporting agencies will contact you for your instructions. The major down-side to this option is that in most cases you’ll have to pay a fee to unfreeze your credit reports when you actually do want someone to access your credit report. Alternatively, you could just pay close attention to your credit reports, and close down fraudulent accounts if they get opened. Even if there weren’t this massive security breach, you should be proactively monitoring your credit reports to keep an eye on the personal information that these credit agencies are authorized to keep. Remember, by federal law you’re allowed one free credit report per year from each of the three major reporting agencies. The best strategy is to stagger your free reports, pulling one report every four months, rotating the agencies as you go.
Most likely scenario
While some people will inevitably have accounts opened in their name, the large majority of people will just see fraudulent purchases charged to their credit cards. You should carefully examine your credit card statements for unauthorized charges. With the wide-scale availability of online account access, you can probably also catch fraudulent purchases as they happen. Federal law restricts your liability on unauthorized credit card purchases to $50, but all of the major card networks reduce that liability to $0 in an effort to keep customers happy. If you used a debit card instead of a credit card, your protections by law are shockingly weaker. Your liability can be as high as $500 if you don’t contest the charge within 60 days after receiving a bank statement, and your liability will be unlimited if you don’t report it within 60 days after. Again, many banks will waive the liability to keep you happy, but they don’t have to legally, so take the personal initiative to stay on top of your finances.
And in the future
Retailers will always be targets for data theft. Do your best to minimize exposure to the risks. If you like to pay in cash, continue to do so. When the merchant asks you for your phone number or e-mail address to send you coupons, just decline. And when they ask for your zip-code, decline that as well. They may try to claim it’s to prevent fraudulent purchases, but in actuality when the merchant combines the information it receives from the payment network with your zip code, that merchant will be able to personally identify you with near-100% accuracy. And remember, as the consumer, you always have the power. If the merchant insists on getting your personal information, and you don’t feel comfortable doing so, leave and support a merchant who has more respect for your privacy.