I rarely shop at Target. However, last December I did a quick shopping to pick up some last minute toys for the holidays. Needless to say, I was extremely surprised when I read in the New York times a few days later that the company experienced a major breach affecting more than 120 million people.
Yesterday, I was digging through my gmail account and came across an email from Target apologizing for the breach and explaining how they were going to protect me moving forward. Basic jist, they are offering me “one year of free credit monitoring …through Experian’s® ProtectMyID® product which includes identity theft insurance where available. They then proceeded to give me tips on what I could do to not screw-up and compromise my identity in the future.
Personally, I think this response is incredibly reactive. Let’s wait until the criminals”virtually violate” your online identity and then take action to help you! In addition, although I appreciate Targets consumer advice around how I can avoid compromising my own identity, I would prefer to learn about the measures THEY are taking to proactively protect me in the future. (On a side note, it’s a bit ironic that the Target communication looks like a potential phishing attack.)
I think there’s a lot of opportunity for Target to take real action. The simplest step appears to be classic federated SSO with payment vendors. Wouldn’t it have been nice if Target had a trusted relationship with partners that didn’t actually require the sharing of an individuals personal data in their systems? In addition, Target has the opportunity to take on a leadership role in this space moving forward. They can become an outspoken evangelist against online fraud and drive initiatives with the credit card providers to come up with a better model moving forward.
Target, if you ever want to discuss how identity relationship management plays a role in this world, let us know. We’d be more than happy to talk!