We have discussed many times how identity theft impacts others when thieves steal information from one company and commit identity fraud in other companies. Another identity theft incident at one of the large US retailers (Target) illustrates the challenges of protecting customers’ private information, the impotence of personal information, and how identity theft affects others in terms of lost revenue and customers, pain and suffering, reduced profits, and credibility.
Let’s briefly analyze what happened in this highly publicized identity theft case which appears to be one of the largest of its kind and how identity theft impacts others. It appears from various news sources that Target was the "target" of a sophisticated and organized identity theft incident which resulted in the theft of credit and debit card information of 40 million Target customers. We don’t know exactly how the information was stolen and whether insiders were involved, however, the scope of the operation indicates a highly sophisticated and organized data breach. One of the most important attributes of this identity theft case is that Personal Identification Numbers or PINs were also stolen which can be used to withdraw money directly from bank accounts. Another important aspect of this case is that the operation appears to have occurred during the busy US shopping period from Nov. 27 to Dec. 15 2013 to inflict the most bang for the buck because this period accounts for about 40% of a retailer's total annual revenue and there are more fish to catch with just one throw net. Although it is still unclear about how the identity data breach was uncovered, an extended breach period until December 25 Christmas day would have had even greater impact. The fact that Target announced the discovery of the breach on December 15 and before the busy shipping period ended must have been a very difficult decision for management.
Regarding the stolen data, Target has indicated that the PINs were encrypted, however, the banks are not so comfortable about the statement and have reduced the daily withdrawal limits of those customers who have shopped at Target during the breach period. Now, Target customers not only have to worry about their stolen data and future crimes, but, they are also being punished by their bank who are worried about the consequences of the identity theft incident.
Customer class action lawsuits have already started to be filed but the question is will banks start to also sue Target. Security weaknesses which lead to identity theft cases such as this one have devastating identity fraud consequences elsewhere and banks are taking proactive measures to prevent fraud using stolen private information. The US Federal government has already acknowledged that fact that personal information of customers will continue to be stolen to commit fraud and has passed the Red Flags Rule law to force companies to recognize that identity theft impacts others and be prepared to prevent fraud. The law requires companies to be aware of this fact and implement identity fraud prevention programs to detect and mitigate this rising risk which is exactly what banks are doing by imposing cash withdraws limits but may have to file lawsuits against companies like Target to recover their losses.
Annual global losses from credit and debit card fraud are up 11.4 % from last year and have surpassed $11 billion which is about 6 cents of every $100 spent. Identity theft impacts others in a big way and the question is when companies will start to file lawsuits for the ripple affect when identity theft impacts others.