There’s been a lot of coverage on the Target data breach that has impacted between 40 and 110 million individuals. For 40 million, their credit or debit card information was captured by malware placed on Target’s registers. For 70 million, personal information such as names and e-mail addresses, but not card information, was captured. How much overlap there is between the two databases has not yet been disclosed by Target.
In reading many of the news articles and reactions to the breach, I noticed one person complaining on Twitter – and then on databreaches.net – that when he used Target’s page to avail himself of their offer of free credit monitoring, the confirmation e-mail with the activation code did not come from Target.com. Rather, it came from a Target address at target.bfi0.com. As James Lyne writes, that looks like what we typically see in a phishing attempt. In this case, it’s not, though. bfi0.com is part of Epsilon, a firm that handles customer emails and marketing for numerous large retailers, including Target.
But the concern doesn’t end there. As “rcrsv” commented on databreaches.net:
When you try to sign up for credit monitoring with Target, their site requires full name and email address.
Then you receive an email from a sketchy looking domain, bfi0.com.
A whois of that domain leads back to Epsilon in Irving TX, a direct marketing company.
Epsilon itself had a massive data breach not too long ago, where they leaked personal information on millions of people who then suffered phishing attacks.
Target never asked my permission to share my personal information with Epsilon.
Now Epsilon has a list of people who were compromised in the Target breach. This shit has got to stop!
I thought about that concern. On the one hand, Target might understandably want to or need to outsource some of its breach response. But should consumers have been informed that their information was going to a third party, and if so, did Target provide them with adequate notification? And suppose a customer doesn’t want Epsilon storing their name and e-mail address because they don’t trust their security? Can they get their information deleted from Epsilon’s files?
I reached out to Target to pose the questions to them, but after a few days of back-and-forth, I still don’t have a satisfactory answer.
… you have millions of people clicking on a link to sign up for free credit monitoring and there’s no notice on that page that their info might be shared with a partner. Having been burned by the breach, now they’re more nervous and want to know what happens to the information that they just unknowingly shared with Epsilon. Trust is the first thing that goes…
Can Target give me a statement as to how people can be confident that Epsilon will delete the information they provided once Epsilon has provided the activation code?
Target’s response was non-responsive:
Our goal was to provide a simple, consistent experience for all guests seeking free credit monitoring. Guests who are concerned about providing an email can call 1-866-852-8680 to make alternative arrangements.
I tried again:
It’s a pretty simple/straightforward question calling for a yes/no answer.
So… will Target make provisions/agree that user info will be totally deleted from Epsilon’s database after the activation code is sent? And if you can’t answer that, is there someone else I can speak with who can?
I haven’t heard back from them since sending that yesterday afternoon. If I do, I’ll update this post.
In the meantime, I would strongly encourage Target to be more respectful of consumer privacy and allow customers to have their personal information totally deleted from Epsilon’s databases or any other databases, at the customer’s request. Consumers should not have to agree to have their data stored in a database forever – with all the risks that go with that – just to sign up for a free credit monitoring service because the business already failed to protect the security of their information.