In which I wasn’t mad until you apologized

target-data-breachI haven’t talked much about the Great Target Data Breachenationing of 2013, mostly because, honestly, I haven’t been terribly concerned about it– I was one of the ones theoretically affected, because there’s a Target basically in my back yard and I shop there all the time, but I also generally keep a really close eye on my bank account and so I would have noticed any suspicious charges basically immediately. I feel like for the most part Target has behaved as a relatively responsible corporate citizen while all this has been going on, my bank hasn’t made the decision to fuck me unduly like some other banks did; no big deal, right?

I got an email from Target a few days ago; so did my wife and so did, very likely, a whole lot of you, offering me a free year of credit monitoring as a way to make amends.  I’d love to know how much coin Target had to shell out to make this happen or if Experian is just figuring they can make it up on the back end by convincing a shitton of new customers to keep going after that year is up.  I don’t currently have any kind of credit monitoring turned on, although I have in the past, and I’m considering taking them up on their offer. The email is, generally, very apologetic about the whole affair, and it appears that they’ve located a seventeen-year-old (of course it was a teenager) in St. Petersburg who wrote the malware that made the hack possible.

It didn’t hit me until yesterday that, at least for me personally, there’s sort of a big question hanging over my head about the whole thing, and that question didn’t come to light until I got that email:

How the hell did Target get my email address?

I have never ordered anything from Target.com.  Target doesn’t ask for emails as a part of doing business.  I have– and I checked, and since I use gmail my email archive goes back to forever— never received any emails from them before.  I don’t have a Target credit card, and never have, and certainly didn’t in December when the breach happened.  We had a wedding registry with them six years ago, but that was with my wife’s email; mine wasn’t on it.

I can think of one way and one way only that they might have it, which is that I applied for a Target field trip grant for the DC trip this year– but that wasn’t attached to any bank or debit card information, and the address and phone number I provided them was my school address and phone number, so even if they’re cross-matching databases the address and phone number wouldn’t match what they (might?) have through my debit card.  They could, maybe, have done a match with my name and town and made an assumption– but that itself assumes that they’re willing to have a pretty fair number of false positives, and also that they’re working their asses off to collect and consolidate customer data that they have, in turn, then never used until this data breach.  If they got it from my bank, I kinda feel like my bank ought to have told me that, and they didn’t.

I find myself more curious about how they got my email than I am about how the hack was able to happen.  I don’t know if that indicates skewed priorities on my part or not.  And maybe if you’re going to send a giant email to millions of people about how your data collection process got screwed up and compromised, you include a line somewhere about how you got the information that allowed you to contact them in the first place.

Published by

Luther M. Siler

The author of SKYLIGHTS, THE BENEVOLENCE ARCHIVES and several other books.

11 thoughts on “In which I wasn’t mad until you apologized

  1. It’s called “data mining,” and unless you are completely off the grid, there are any number of ways to find you and information about you. Most large companies buy and sell lists of information – Name, address, phone number, email, purchase history, DOB, all of that.
    To give you an idea, I went to a grocery recently and made a few purchases – one of them was a magazine that I have never bought before, but the articles looked interesting (no, not THAT kind of magazine – pervs). I paid with a debit card. 2 weeks later, I start receiving promotional information about that mag and subscription information WITH MY NAME ON IT.
    Different store, same scenario, but this time I had enough cash on me so I just used a discount savings card I had for the store and the cash. 2 weeks later, I start getting promo materials for that magazine mailed to my house, too, ALSO WITH MY NAME ON IT.
    The funniest and altogether most scary one for me was when AARP began mailing membership information – within a week after I came home from the hospital with my the twins. This information also had my name on it. I’d never received anything from them before, and I’m not even in the right demographic, so obviously my information was sold, incorrectly, to AARP. Who sold it? the hospital? The insurance company? The catering service that runs the hospital’s cafeteria? Don’t know. It was funny because I could joke with my husband that “having kids prematurely ages you,” it was scary because it was obviously linked to my hospital stay in some fashion.

    Tin-foil undies are the only way to get past the man, these days.

    Like

  2. Watch out for viruses and phishing, guys. This would be a great opportunity for criminals to get your information with the excuse of offering you free monitoring. Call Target to find out if it’s true. It might not be Target at all.

    Like

    1. For the record, I’ve seen this offer in numerous reputable news sources; I’ll admit that I haven’t taken the time to investigate the details on the email itself but it doesn’t raise any red flags.

      Like

  3. Yes, definitely data mining. They found your contact information the same way Google and Facebook target ads. Target, every other company you use electronic payment with, all the big social media companies you have a profile with, and dozens of online ad placement companies have profiles of your content preferences, your shopping habits, or both. They’re generating an ass-ton of profits with information they’re getting from us for free, and we’re updating their information every time you visit a website, post a comment, like, or share. There’s nothing we can do about it at this point, except disconnect entirely from the Internet and do all business in cash. But then how would we maintain all the relationships we have with people in other geographical areas, and how much surveillance would we be subjected to when someone realized the only electronic transactions in our financial records were from the same ATM?

    I am not getting the emails, and fortunately, I did not by anything from Target during the period in question, so I haven’t been following it very closely.

    Like

  4. We might as well get used to it, it is going to happen more and more frequently, unless you want to drop of the grid and ride the rails hobo style (which sometimes doesn’t sound to bad)

    Like

  5. Just further proof that nothing and no one is safe thanks to the internet… It seems a credible reason for some sort of regulatory action by the government, but I don’t like the idea of the government determining how the internet is used any more than the idea of people being able to find out my entire life online. Basically, I’d be just as curious (maybe mad, even) as you are about them finding your email. It seems invasive.

    Like

Comments are closed.