BLOG

Target acquires email addresses, exposing more customers to data breaches

As most folks now know hackers broke into Target systems last December and stole financial and other data from 110 million customers. Target has been responding to this breach reasonably well. They’ve been notifying customers that were affected and they’re providing credit monitoring for affected individuals. They seem to be totally on top of protecting their customer’s data and privacy.
Mostly.
They seem to be purchasing or otherwise acquiring email addresses from at least one major retailer in order to send out notifications about the breach to customers that never gave them email addresses. Yes, even those of us who chose not to give Target email addresses are receiving email from them.
I understand Target’s drive to contact affected users. I even appreciate that. What I don’t appreciate is that Target appears to be compromising my security in order to notify me my security was compromised. The data of mine that was compromised at Target would be credit card and possibly address information. My email address was not part of the compromise. So what does Target do? They go and acquire my email address from a third party.
Their solution to the compromise is collecting more data that is vulnerable to compromise from unrelated third parties? I’m not sure this is the most consumer friendly thing Target could do. In my case, Target sent mail to an address I’ve only given to Amazon. That means I now need to worry about my Amazon account security, on top of everything else.
Ironically, the email sent by Target tells me that I can click a link and get free credit monitoring. Then the email goes on to tell me the following:

  • Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number.
  • Delete texts immediately from numbers or names you don’t recognize.
  • Be wary of emails that ask for money or send you to suspicious websites. Don’t click links within emails you don’t recognize.

Don’t click links within emails I don’t recognize? You mean like the one you just sent me? With a link to a credit monitoring website?
I appreciate the notice. I don’t appreciate is that Target went out of their way to collect more information about me than I actually gave them. I am now worried about Amazon’s security as well. How did Target get an address only provided to Amazon? I don’t appreciate that my efforts to keep my information secure (not providing email address to Target) was undermined by Target themselves.
The full text of the email, with the relevant headers (munged slightly for privacy) is under the cut, if anyone is interested. 

Dear Target Guest,
As you may have heard or read, Target learned in mid-December that criminals forced their way into our systems and took guest information, including debit and credit card data. Late last week, as part of our ongoing investigation, we learned that additional information, including name, mailing address, phone number or email address, was also taken. I am writing to make you aware that your name, mailing address, phone number or email address may have been taken during the intrusion.
I am truly sorry this incident occurred and sincerely regret any inconvenience it may cause you. Because we value you as a guest and your trust is important to us, Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian’s® ProtectMyID® product which includes identity theft insurance where available. To receive your unique activation code for this service, please go to creditmonitoring.target.com and register before April 23, 2014. Activation codes must be redeemed by April 30, 2014.
In addition, to guard against possible scams, always be cautious about sharing personal information, such as Social Security numbers, passwords, user IDs and financial account information. Here are some tips that will help protect you:

  • Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number.
  • Delete texts immediately from numbers or names you don’t recognize.
  • Be wary of emails that ask for money or send you to suspicious websites. Don’t click links within emails you don’t recognize.
Target’s email communication regarding this incident will never ask you to provide personal or sensitive information.
Thank you for your patience and loyalty to Target. You can find additional information and FAQs about this incident at our Target.com/databreach website. If you have further questions, you may call us at 866-852-8680.
Gregg Steinhafel
Chairman, President and CEO

And the accompanying mail headers, which tell me that it probably really did come from Target. And that the IP address is currently blocked by Spamcop.
TargetHeader

13 comments

  1. steve says

    If someone other than you, Amazon and Amazon’s contractors have access to that email address that sounds rather like a breach of Amazon’s customer database. I wonder how that came to be?

  2. Brian G says

    I was also baffled to see they didn’t even use a target.com from address. Nothing in the message other than a single link points to target.com! Way too many oversights with this… maybe the stress of this breach is causing them to make poor decisions.

  3. Allen says

    Just because the header includes the word “target” in the email addresses for reply and from, doesn’t make it from Target. Note that the actual domain that the email is from is “bfi0.com” which a Whois search returns “enom.com” and Epsilon Data Management as the registrar. The Whois search for “enom.com” returns “private” data for the registrar. In addition, actual names or phone numbers could also be faked in the registry information so even that isn’t enough to conclude that Target sent the email. You’d have to definitively associate “bfi0.com” with the Target corporation or verify with someone at the company that the email originated there. Otherwise, it might as well be a Nigerian Prince scam. =:^(

    1. laura says

      I’m familiar enough with ESPs, Bigfoot and Epsilon that I am confident that it really is from Target. The alternative is that Bigfoot is going to be embroiled in the mother of all lawsuits.
      However, you are right that the way Epsilon / bfi sent the mail makes it difficult to verify this really was a Target authorized email. Forbes wrote about the headers and lack of actual authentication about a week ago.

  4. Brian says

    Laura is it possible this Amazon only email was provided years ago when Target and Amazon were affiliated? They broke up in 2009. So, if you shopped the Target store on Amazon prior to ’09, Target may have obtained the email address as part of the transaction you had with them on the Amazon platform. Just a thought.

    1. laura says

      To the best of my recollection I’ve never made an online purchase from Target. I’ve also gone to Target’s website and added the tagged address into the “recover my password” box and Target says, “Sorry we couldn’t find that email address.”
      Additionally, the breach was supposed to have happened for a few weeks in December 2013. What are they doing pulling customer data from so far back? I remember when the breach happened my reaction was “well, I’m glad we’ve not been to Target recently.”

  5. Jon says

    I got the same message, also to a unique address only ever given to Amazon. From a quick read of Amazon’s privacy policy, it kind of seems they’ve violated it.

  6. Josh says

    I also received the email from Target, sent via Big Foot Interactive, on Jan 15th.
    I checked my email archives, and I did order something from Target.com in Dec. 2004, when their web store was being run by Amazon.
    So, in my case, there is an Amazon/Target connection, but from 9 years ago!!!
    I do not believe I have ordered anything from Target.com since that time.

  7. Denny Watson says

    On a side note, a bunch of these messages had hit a bunch of my dedicated spamtraps.

  8. Derek D says

    Add me to the list of Amazon only tagged addresses receiving the Target notice. I have searched my memory and don’t remember buying anything from Target on-line far enough back to have Target/Amazon co-mingling data using the AMAZON tagged address and a search of my email archives agrees. (I do have stuff purchased from Target via Amazon using a different email address.)
    And in searching my email archive found the message from Target in April 2011 about their ESP, Epsilon, being hacked and expopsing Target customer’s email addresses.

  9. steve says

    And I got my Target email to an Amazon-tagged address this morning too.

  10. Matt Soreco says

    Got the e-mail too. Didn’t shop during the breach. Never shopped online with them or signed up for their newsletters. They must have tied a pre-breach purchase to my e-mail address. Why?

  11. Technicolor says

    Target has never had any personal information from me other than an outside CC. We are told so many times to make sure a lock is shown on site address before ordering from anywhere and they just opened it. The letter has erratic info…go, don’t go to unknown sites, give, don’t give information to unknown sites. Then tells us to do this. Where was decent decision making? I’m ticked at Amazon, they are watering down their business as it is with so many outside sites selling and now individuals offering products.

Comment:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.