SEATTLE – Target this morning disclosed that the massive breach of its payment card data base was on a much larger scale than initially disclosed.
The company said up to 70 million Target customers, not just 40 million, were affected. However, even though payment card numbers can be deactivated and replaced, the cyberunderground can still make use of the customer data in phishing scams.
Of particular concern are phishing phone calls in which the caller impersonates Target ir the and the paymet card-issuing bank, says Chris Camejo, director at consultancy NTT Com Security.
"Vigilance is going to be very important for Target customers," Camejo says. "Don't believe anything."
Certain customer information – including names, mailing addresses, phone numbers and email addresses – were harvested by the data thieves, the company said.
"I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this," Chief Executive Gregg Steinhafel said in a statement.
A fraudster in possession of parts of the stolen data might call asking to verify information as part of a security check, says Lee Weiner, Senior Vice President of engineering at security firm Rapid7.
"This type of high-profile security breach offers an opportunity for so-called 'piggyback attacks,' where criminals try to make a profit by preying on consumers' fears," Weiner says. "For example, they'll use phishing emails disguised as communications from a bank or credit card provider to trick victims into unknowingly sharing confidential personal information or visiting a malicious website."
The credibility quotient is very high, for even sophisticated consumers. "People need to be on the lookout for any communication that asks them to click on a link or provide confidential information," Weiner says. "If there's any doubt, go directly to the site through a web browser and don't click on the link in the email."