Unauthorized access compromises cardholders’ data

The payment data of U.S. citizens, including students at the University of Indianapolis, were illegally accessed after they made purchases at U.S. Target stores between Nov. 27 and Dec. 15, 2013.

On Dec. 20, Target Chairman, President and CEO Gregg Steinhafel addressed the issues of the unauthorized access to card data from U.S. Target stores in a video posted on Target’s corporate site.

“As you have likely heard by now, Target experienced unauthorized access to payment card data from U.S. Target stores,” Steinhafel said. “We take this crime seriously. It was a crime against Target, our team members and most importantly you—our valued guest.”

Junior theatre major Eric Brockett said that he did not have money stolen but had his spending monitored by Chase Bank and had to receive a new debit card.

“Fortunately, I seemed to be much better off than a lot of other people,” Brockett said. “My family went Black Friday shopping at Target, and we were all affected. We didn’t have any money taken or anything. The bank was just like, ‘Your card may be compromised, here’s a new one,’ which was at the worst possible time.”

Chase Bank released a Customer Service Notice on its website to give customers information on what they should know, what Chase was doing to protect against fraud and what customers whose cards were at risk could do.

Brockett said that it took about a week and a half to two weeks before he had his new card.

“I was trapped here [at UIndy] for a week in the ice with $60 in cash and no car and trying to figure out how I was going to live off of three packs of Ramen,” Brockett said. “The idea of living off of no money and the weather was no fun.”

Associate Vice President of Information Systems Steve Herriford said that a third party, the university’s bank, does most of the credit card processing.

“They [the bank] follow rules called PCI compliance, which certifies that they’re secure, following industry guidelines, and makes sure that that information is kept secure,” Herriford said.

According to the PCI Security Standards Council’s website, they offer robust and comprehensive standards and supporting materials to enhance payment card data security.

Although Information Systems does not handle card information, Herriford said that IS still takes measures to keep student and faculty information secure.

“We [Information Systems] also use industry-standard things like Firewalls, Network Access Control, those kinds of things to make sure only authorized users get access to the data,” Herriford said. “I know it’s a pain for a lot of people; your password expires every six months, and you’re required to reset it. That’s another security measure. We require minimum strength of passwords … So all those kinds of things we do to try to keep the data safe.”

Target has been working to figure out how the unauthorized access happened as well as how to prevent future incidents from happening.

“We are partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident and to examine additional measures we can take that would be designed to help prevent incidents of this kind in the future,” Target said. “Additionally, Target alerted authorities and financial institutions immediately after we discovered and confirmed the unauthorized access, and we are putting our full resources behind these efforts.”

Similarly, banks such as Chase took precautions to stop fraud before customers had any major issues.

Brockett said that Chase took care of everything before he knew that he was at risk for fraud.

“I would not have known if they [Chase] didn’t tell me,” Brockett said. “I’m glad they had the courtesy to be like, ‘Hey, instead of going through all these hoops and bending backwards, we’re just going to give you a new card.’”