Target credit card breach: it's worse than you think.


40 million. 70 million. Now close to 110 million customers of Target ($TGT) have not received word their personal data including financial information, phone numbers and home addresses are now in the hands of overseas hackers. Sound like a scene from Girl with a Dragon Tattoo? The executives at Target only wish. Right now the retailer is getting ready for a congressional probe into their consumer protection practices. This is a run down of what you should know (source: Reuters):

What is happening: Democratic members of the Financial Services Committee of the U.S. House of Representatives are calling for the panel to investigate the hacking of credit card data belonging to millions of customers of Target Corp stores.

The letter said a hearing should review current consumer protection laws and determine what could be done to ensure the future security of consumers' card information.

Quote from the letter: "It is incumbent upon our Committee to explore whether industry data protection standards are appropriate, and examine whether heightened regulatory standards are needed to more effectively protect consumers," the Democrats wrote.

What that means: Congress wants to figure out if Target was in violation of failing to effectively protect the consumer.

Hearing is supposed to be scheduled for late January.

What can we expect out of the hearing: Would allow for an airing of grievances and potentially bring Target officials to Washington for a grilling about how the case has been handled, they would not necessarily result in taking any kind of action or in legislation.

In addition: The Federal Trade Commission, the Securities and Exchange Commission and state attorneys general would potentially look into Target's actions in this situation.

The FTC does not confirm or deny the existence of ongoing investigations and would only get involved if Target is shown to have failed to protect its customers' data.

Target has said it is working in partnership with the Secret Service, the lead agency involved in the data breach case, and the Department of Justice but did not comment on any FTC involvement

Why do we care/why is this important: Not real Federal regulation on the retail side when it comes to security and consumer protection.

A bill by Senate Judiciary Committee Chairman Patrick Leahy remains the only data security bill on tap for now-- THAT'S THE ONLY BILL THAT EXISTS!

FTC has the power to investigate companies’ privacy and information security policies and ensure that they meet proper standards, it has asserted.

It has previously brought cases against companies that it determined didn’t do enough to protect consumer data, and Blumenthal suggested it should consider doing so again.

QUOTE: “Given the scope and duration of Target’s recent data breach, it appears that Target may have failed to employ reasonable and appropriate security measures to protect personal information,” Blumenthal wrote. “If Target failed to adequately protect customer information, it denied customers the protection that they rightly expect when a business collects their personal information. Its conduct would be unfair and deceptive, and it would clearly violate the FTC Act.”

Additional info on $TGT you as a consumer should know:

Point of sale: As a merchant, you’d better make sure shoppers trust that they’re not exposing themselves to identity theft and credit-card fraud every time they swipe. Even Target, a huge company with big bucks to spend on security, hasn’t managed to assure such certainty (source: Bloomberg BusinessWeek)

Methods hackers use to get information:

Skimming: Attaching a physical device to a machine to gather information

"RAM Scraping": "Random Access Memory" Malware scans computer system's memory for personal information.

U.S. Computer Emergency Readiness Team (U.S.-CERT), a cyber watchdog that’s part of the Department of Homeland Security.

Target has not disclosed how malware got into the system