Jessica Piffero of Fresno was like thousands of other customers throughout Fresno and the San Joaquin Valley who used their debit or credit cards for holiday shopping at a Target store.
Unbeknown to them, hackers had managed to penetrate Target's card-payment systems and, over a three-week period in late November and December, steal data for credit and debit card accounts, compromising account information for as many as 40 million customers nationwide.
Once news broke about the massive data breach, a nervous Piffero began closely monitoring her bank account for funny business — making sure there were no fraudulent transactions with her card number.
Then she received a notice from Golden 1 Credit Union, where she and her husband bank — the Sacramento-based credit union "is proactively replacing all potentially impacted cards" of customers who shopped at Target between Nov. 27 and Dec. 15.
"I was a little shocked" by the notice, Piffero said. "You hear about these card breaches in the news, and I've never really been a part of this before. I knew this was a large one."
Monitoring her account information is one of the key things that data security experts agree customers should be doing in the wake of the Target fiasco. But others say it's an even better idea to cancel the potentially compromised card and ask the bank or credit union to replace it with a new one.
"Frankly, it isn't a bad idea to replace your card after the holidays anyway," said Ken Westin, a technology security researcher and a contributor to Tripwire.com's "The State of Security" blog. "Credit cards are promiscuous; they get handled frequently by a lot of different people, and with each interaction/purchase, the risk increases.
"Then you add in a major breach like this where that number is now out in the wild, and it is better to just put that card out of its misery and get a fresh new one," Westin said.
That's one reason that Golden 1 — the seventh-largest credit union in the U.S. — is reissuing new cards to about 72,000 members. That's more than 11% of its 651,000 members statewide.
"It was a pretty easy decision, given that this happened right at the holidays," said Scott Ingram, a Golden 1 spokesman. "We knew people were going to be more likely to use their cards during this time, and the risk of fraud might be higher than at some other time of the year. That made it important to take quick action."
But that action comes at a cost. Ingram estimated that Golden 1's expenses to notify its members and replace cards "is approaching about $400,000 for us at this point, not counting staff time and overtime."
By the middle of last week, Piffero had yet to receive her new Golden 1 debit card, but she's not overly concerned. She's continuing to keep a close eye on her account details online. "No bad things have happened yet," she said.
Golden 1 isn't the only financial institution replacing debit cards. Fresno-based Central Valley Community Bank reported that it will reissue cards to about 2,200 of its customers who are among Target shoppers affected by the breach. So, too, are Porterville's Bank of the Sierra, the largest community bank based in the central San Joaquin Valley; Fresno First Bank; and the Fresno County Federal Credit Union.
Among the bigger national banks with branches in the Valley, JPMorgan Chase and Union Bank report that they are replacing cards that are at risk for fraud because of the Target breach.
Front and center
While Target's card-data theft was a large and notable breach, it was not the only incident last year in which customers' information was put at risk. The Identity Theft Resource Center, a San Diego-based nonprofit, reported that through Dec. 31, almost 620 data breaches occurred among banks and financial institutions, businesses, educational institutions, health-care organizations and government or military agencies.
By the ITRC's reckoning, those breaches potentially put at risk at least 58 million records — Social Security numbers, driver's license numbers, medical records or credit/debit card data — and possibly many more, because in most instances the volume of compromised information is not publicly reported.
"We know there's a correlation between data breaches and fraud or identity theft," said Eva Velasquez, president and CEO of the ITRC. "About one in four consumers who are notified of a data breach will eventually become victims of identity theft."
The Target breach put the issue at the forefront of the public's attention. Ordinarily, the ITRC's toll-free telephone call center in San Diego handles about 10,000 calls in a year. But after the Target situation was reported, "we took 1,100 calls in three days," Velasquez said. "That tells you how many people are paying attention to this.
"If we had to silver-line this issue, it's that Target is such an iconic brand and this happened at the holidays, people are now aware that this is something they need to pay attention to," she added. "The world we live in has these very sophisticated electronic infrastructures, but none of them will be impenetrable."
While card data and PIN numbers are at risk in the Target breach, Velasquez said there's no indication from Target that even more critical information, like Social Security numbers, were compromised. "That's the key component" to fraudsters opening new lines of credit under someone else's identity.
"We're telling people to react, but not to panic," Velasquez said.
ITRC is encouraging people to closely monitor their bank accounts for suspicious charges and to work with their financial institution on what other steps to take, Velasquez said. "Because this breach involves so many different methods of payment — credit cards and debit cards — all of these different card issuers, all these financial institutions have a stake" in protecting their customers.
That's because businesses face huge costs when data is stolen.
The Ponemon Institute, a data and privacy research firm in Michigan, reported last year that among companies it surveyed, the cost of a data breach from a malicious or criminal attack was estimated at $277 per compromised record. The institute added that last year was the first time malicious or criminal attacks made up the most frequent cause of data breaches — about 41%, compared to 33% from human error or negligence and 26% from system glitches.
Piffero, the Target shopper, said she's likely to remain loyal to the store, where she said she typically shops several times each month — including trips to stock up on holiday decorations and gifts during the three-week data breach.
"I've been back since and will probably still continue to go to Target," she said. "It could have happened at any store. It comes with the technology. … But it definitely made me think of all the places where my credit card information is stored."
To learn more
Target customers who are concerned about the card-data breach can call the company's guest-relations line at (866) 852-8680 or visit www.target.com and click on the "important notice" link near the top of the home page.
More info about credit card fraud, identity theft and other data breach issues is available from the Identity Theft Resource Center, www.idtheftcenter.org or (888) 400-5530.
Customers should also contact their banks or credit unions for information or to report any suspicious account activity.
The reporter can be reached at (559) 441-6319, firstname.lastname@example.org or @tsheehan on Twitter.