As if Target (TGT 2.13%) customers didn't have enough to worry about when it comes to the discount retailer's credit card hacking imbroglio, it's compounding their fears by sending out emails to them that look like a phishing scam.
I've mentioned before that I was one of the 40 million people whose credit and debit card accounts were compromised by the massive hacking attack at the retailer, a theft that has only grown in size as Target now confirms that some 70 million customers also had the personal information stolen, including names, addresses, email addresses, and phone numbers. Sure, there's probably a lot of overlap between the two groups, but it could also mean the data of as many as 110 million customers were compromised.
The hacking case is even more widespread than originally believed, however, in that upscale department store Neiman Marcus has come forward to admit that its customers' data was stolen as well, though unlike Target, it's not being very forthcoming with details of how many accounts were affected or whether they've been notified. It seems to be following the TJX's hack attack playbook instead, which is one where you hunker down with a bunker mentality and hope it all goes away.
Worse, Reuters says sources indicate there are at least three more retailers who have been similarly hacked but have yet to come forward. Both Target and J.C. Penney (JCPN.Q) waited more than two years to report that they were victims during a widespread hack attack in 2007.
And some companies still seemingly haven't learned the lesson of security. Starbucks (SBUX 0.04%) recently admitted that its mobile app stores a user's mobile-payment app password, username, and geolocation tracking points in unencrypted plaint text, making it a simple matter for a hacker to access and use the account. While it would only allow the hacker to use it to buy Starbucks products, if the account was activated with an auto-replenish option, it could theoretically draw down the owner's bank account. Starbucks management says it's well aware of the system's design and "was not something that was news to us." Oh, good.
Yet Target's not doing itself any favors in the aftermath of the latest attack, either. In an effort to soothe potentially affected consumers, it sent out an email offering a year of free Experian credit monitoring, only it used some weird third-party service to send out the notice so that numerous recipients began wondering if it was part of a phishing scam that was following up the hack attack. Twitter users immediately raised yellow flags about the move.
Sent from the address [email protected], many people were immediately suspicious of its origins, more so because it tried to reach the widest audience possible and didn't rely just upon its own internal database of customers who gave it their email addresses, but pulled them from all over the place:
It caused more than a little consternation among recipients, but it generated a little snark, too, as the email has you clicking a link to go to the offer -- which then advises you to not "click links within an email you don't recognize."
Certainly Target is to be commended for trying to do the right thing while repairing a reputation that's been severely tarnished by the episode, but it would be well advised to not compound the problem by having its customers take actions that are diametrically opposed to the advice it is giving. Crisis management would suggest you want to put the issue behind you, not create new hurdles to surmount in front.