There’s been a lot of coverage on the Target data breach that has impacted between 40 and 110 million individuals. For 40 million, their credit or debit card information was captured by malware placed on Target’s registers. For 70 million, personal information such as names and e-mail addresses, but not card information, was captured. How much overlap there is between the two databases has not yet been disclosed by Target.
In reading many of the news articles and reactions to the breach, I noticed one person complaining on Twitter – and then on databreaches.net – that when he used Target’s page to avail himself of their offer of free credit monitoring, the confirmation e-mail with the activation code did not come from Target.com. Rather, it came from a Target address at target.bfi0.com. As James Lyne writes, that looks like what we typically see in a phishing attempt. In this case, it’s not, though. bfi0.com is part of Epsilon, a firm that handles customer emails and marketing for numerous large retailers, including Target.
But the concern doesn’t end there. As “rcrsv” commented on databreaches.net:
When you try to sign up for credit monitoring with Target, their site requires full name and email address.
Then you receive an email from a sketchy looking domain, bfi0.com.
A whois of that domain leads back to Epsilon in Irving TX, a direct marketing company.
Epsilon itself had a massive data breach not too long ago, where they leaked personal information on millions of people who then suffered phishing attacks.
Target never asked my permission to share my personal information with Epsilon.
Now Epsilon has a list of people who were compromised in the Target breach. This shit has got to stop!
I thought about that concern. On the one hand, Target might understandably want to or need to outsource some of its breach response. But should consumers have been informed that their information was going to a third party, and if so, did Target provide them with adequate notification? And suppose a customer doesn’t want Epsilon storing their name and e-mail address because they don’t trust their security? Can they get their information deleted from Epsilon’s files?
I reached out to Target to pose the questions to them, but after a few days of back-and-forth, I still don’t have a satisfactory answer.
Target’s first response was to point me to their privacy policy. That policy does note that information may be shared with service providers, which is what Epsilon would be in this case.
But does Target really expect upset and worried customers to actually read their privacy policy before submitting their information to get free credit monitoring? That’s totally unrealistic. Apart from the issue of the confirmation/activation email coming from a suspicious-looking domain – which Target should have alerted people to in advance – Target should have put a note on the sign-up page saying that by entering your name and e-mail address, you understand that the information will be shared with service providers helping to respond to the breach. Their current signup page says “The information captured in this process will not be used for any purpose other than providing you with credit monitoring services.” It makes no mention of using a service provider. And although the statement about the limited use of the information is excellent, why don’t people have the option to totally delete their information from Target’s database and any service providers’ databases?
So, not satisfied with Target’s reply to me, and finding no statement in Target’s privacy policy as to how customers can get their information totally deleted from Target and/or its service providers, I tried again:
… you have millions of people clicking on a link to sign up for free credit monitoring and there’s no notice on that page that their info might be shared with a partner. Having been burned by the breach, now they’re more nervous and want to know what happens to the information that they just unknowingly shared with Epsilon. Trust is the first thing that goes…
Can Target give me a statement as to how people can be confident that Epsilon will delete the information they provided once Epsilon has provided the activation code?
Target’s response was non-responsive:
Our goal was to provide a simple, consistent experience for all guests seeking free credit monitoring. Guests who are concerned about providing an email can call 1-866-852-8680 to make alternative arrangements.
I tried again:
I really do understand what Target was doing and why. But can Target assure people that their information will be deleted from Epsilon’s database after the activation code is sent, at the customer’s request? The phone number you provided will help people who haven’t tried to sign up yet, but it does nothing for the customers whose data are now in Epislon’s database where they don’t want it. There is nothing in the privacy policy url you cited that explains how customers can get their information totally deleted.
It’s a pretty simple/straightforward question calling for a yes/no answer.
So… will Target make provisions/agree that user info will be totally deleted from Epsilon’s database after the activation code is sent? And if you can’t answer that, is there someone else I can speak with who can?
I haven’t heard back from them since sending that yesterday afternoon. If I do, I’ll update this post.
In the meantime, I would strongly encourage Target to be more respectful of consumer privacy and allow customers to have their personal information totally deleted from Epsilon’s databases or any other databases, at the customer’s request. Consumers should not have to agree to have their data stored in a database forever – with all the risks that go with that – just to sign up for a free credit monitoring service because the business already failed to protect the security of their information.
The more I think about this problem, the more I wonder whether retailers denying consumers the option or right to delete their information might be an “unfair” practice under the FTC Act that is a direct cause of injury consumers suffer when there’s a breach.