I haven’t talked much about the Great Target Data Breachenationing of 2013, mostly because, honestly, I haven’t been terribly concerned about it– I was one of the ones theoretically affected, because there’s a Target basically in my back yard and I shop there all the time, but I also generally keep a really close eye on my bank account and so I would have noticed any suspicious charges basically immediately. I feel like for the most part Target has behaved as a relatively responsible corporate citizen while all this has been going on, my bank hasn’t made the decision to fuck me unduly like some other banks did; no big deal, right?

I got an email from Target a few days ago; so did my wife and so did, very likely, a whole lot of you, offering me a free year of credit monitoring as a way to make amends.  I’d love to know how much coin Target had to shell out to make this happen or if Experian is just figuring they can make it up on the back end by convincing a shitton of new customers to keep going after that year is up.  I don’t currently have any kind of credit monitoring turned on, although I have in the past, and I’m considering taking them up on their offer. The email is, generally, very apologetic about the whole affair, and it appears that they’ve located a seventeen-year-old (of course it was a teenager) in St. Petersburg who wrote the malware that made the hack possible.

It didn’t hit me until yesterday that, at least for me personally, there’s sort of a big question hanging over my head about the whole thing, and that question didn’t come to light until I got that email:

How the hell did Target get my email address?

I have never ordered anything from Target.com.  Target doesn’t ask for emails as a part of doing business.  I have– and I checked, and since I use gmail my email archive goes back to forever— never received any emails from them before.  I don’t have a Target credit card, and never have, and certainly didn’t in December when the breach happened.  We had a wedding registry with them six years ago, but that was with my wife’s email; mine wasn’t on it.

I can think of one way and one way only that they might have it, which is that I applied for a Target field trip grant for the DC trip this year– but that wasn’t attached to any bank or debit card information, and the address and phone number I provided them was my school address and phone number, so even if they’re cross-matching databases the address and phone number wouldn’t match what they (might?) have through my debit card.  They could, maybe, have done a match with my name and town and made an assumption– but that itself assumes that they’re willing to have a pretty fair number of false positives, and also that they’re working their asses off to collect and consolidate customer data that they have, in turn, then never used until this data breach.  If they got it from my bank, I kinda feel like my bank ought to have told me that, and they didn’t.

I find myself more curious about how they got my email than I am about how the hack was able to happen.  I don’t know if that indicates skewed priorities on my part or not.  And maybe if you’re going to send a giant email to millions of people about how your data collection process got screwed up and compromised, you include a line somewhere about how you got the information that allowed you to contact them in the first place.