Target "acquires data"

It was our priority to inform as many guests as quickly as possible. Relevant emails were pulled from a variety of sources.
@AskTarget

It looks like Target is mailing data that was never given to them in an effort to “inform” customers of the data breach.
There are lots of problems with how Target is managing this email campaign. The first is in delivery. They’re hitting thousands of traps on one small part of dedicated traps at Spamhaus. They’re also blocked at Spamcop and have hit over 70 traps in the last 24 hours. Senderscore shows the IP has almost 100 trap hits as well, and a high unknown user rate.
On top of that, when we called the number Target gave us in the email, the phone rep told us that the address the mail was sent to was not in the Target database. Thus, she concluded, that the mail was actually a phishing email. Now, I don’t believe it was a phish, I think it was legitimate. But you can’t have your front line folks answering the phone telling people the mail you sent out was phishing.
There are a number of other problems with this mailing, that we’re still cataloging and will report on next week.
Overall, though, the email handling of this notification was a total failure on Target’s part.

Related Posts

Equivocating about spamtraps

What is a spamtrap? According to a post I saw on Twitter:

Read More

Irony

Saw this on twitter today:

Oh, the irony of an append vendor using COI for a whitepaper download.

Read More

Target acquires email addresses, exposing more customers to data breaches

As most folks now know hackers broke into Target systems last December and stole financial and other data from 110 million customers. Target has been responding to this breach reasonably well. They’ve been notifying customers that were affected and they’re providing credit monitoring for affected individuals. They seem to be totally on top of protecting their customer’s data and privacy.
Mostly.
They seem to be purchasing or otherwise acquiring email addresses from at least one major retailer in order to send out notifications about the breach to customers that never gave them email addresses. Yes, even those of us who chose not to give Target email addresses are receiving email from them.
I understand Target’s drive to contact affected users. I even appreciate that. What I don’t appreciate is that Target appears to be compromising my security in order to notify me my security was compromised. The data of mine that was compromised at Target would be credit card and possibly address information. My email address was not part of the compromise. So what does Target do? They go and acquire my email address from a third party.
Their solution to the compromise is collecting more data that is vulnerable to compromise from unrelated third parties? I’m not sure this is the most consumer friendly thing Target could do. In my case, Target sent mail to an address I’ve only given to Amazon. That means I now need to worry about my Amazon account security, on top of everything else.
Ironically, the email sent by Target tells me that I can click a link and get free credit monitoring. Then the email goes on to tell me the following:

  • Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number.
  • Delete texts immediately from numbers or names you don’t recognize.
  • Be wary of emails that ask for money or send you to suspicious websites. Don’t click links within emails you don’t recognize.

Don’t click links within emails I don’t recognize? You mean like the one you just sent me? With a link to a credit monitoring website?
I appreciate the notice. I don’t appreciate is that Target went out of their way to collect more information about me than I actually gave them. I am now worried about Amazon’s security as well. How did Target get an address only provided to Amazon? I don’t appreciate that my efforts to keep my information secure (not providing email address to Target) was undermined by Target themselves.
The full text of the email, with the relevant headers (munged slightly for privacy) is under the cut, if anyone is interested.

Read More