Wow, the news is giving me tons of blog fodder (blodder?) this week! You may have heard that some 40 million credit card numbers and associated data were stolen from Target during the beginning of the holiday shopping season. I'm not sure whether this news is being covered 24/7 on all news outlets in other places, but it certainly is in Minnesota. (Target's headquarters are here, and it's a major employer in the area.)
We shopped at Target at least twice during this time period and used a credit card for our purchases, so I am 99% sure that our information is included in the credit card numbers that are now in the hands of data thieves.
So what are we doing about it? Nothing.
1. These types of things happen all the time, either through hacking or employee carelessness, but most companies do not announce that information has been compromised for weeks or months. (Just off the top of my head - Adobe, Ubisoft, Global Payments, Sega, Nintendo, Sony, AT&T, Morgan Stanley, Citibank.)
2. When lists of card numbers are stolen they are often traded around on the black market and may not be used for weeks or months or years, if ever.
3. Target's early announcement of the theft means that a lot of people will be changing their credit card numbers, so part of the data will be useless. It may have even affected the value of the list on the black market, meaning it's less likely to be used.
4. We check our credit card statement frequently (at least once per month, usually more) and check it carefully against our spending log. We would notice fraudulent activity quickly.
5. Credit card users are protected from fraud, so if we do start seeing fraudulent charges, we can dispute them and there will be no real consequence for us.
Your card information is not secure, period. Every time you use the card, you are opening yourself up for the information to be compromised. Every time you buy something online, you risk it. Every time you use it at a cash register, you risk it. Every time you send it off with a waiter in a restaurant, you risk it. That's why there's such a strong consumer protection aspect to using a credit card - at some point it is almost certain that your information will be stolen, so there are stopgaps and protections built in. The companies themselves are watching for it, that's how much they expect it to happen.
This is not necessarily true of debit cards - because the money will come right out of your bank account, you are at risk of losing money immediately. That's why we don't use a debit card ANYWHERE unless we are required to do so (Aldi doesn't accept credit cards, Costco only accepts American Express. We use a credit card for almost anything else.) Anyone who used a debit card at Target during the compromised period should absolutely cancel the card and get a new number. But for credit card users, I'm not sure what all the fuss is about.
Would I shop at Target again using my credit card? Heck, yes. I'd do it today if I needed anything. My concern with using a credit card at Target has nothing to do with security, and a lot more to do with marketing: Target uses credit card information to track shopper spending and study their habits. I agree to this kind of tracking when I sign up for a store loyalty card, but I find Target using my credit card information for this to be creepy. Not enough that I always remember to stop at the ATM before I go shopping there, but enough that there are certain purchases I've made in cash just to avoid adding to my shopper profile.
Aside from the potential fine that Target may face for being hacked, probably the biggest downside to this for Target is that if people change their credit card numbers, all of their marketing data is useless.