First Target dropped the ball by failing to protect 40 million customers whose payment card data was stolen by hackers and another 70 million shoppers whose names, addresses, phone numbers, and e-mail addresses were stolen at the height of the 2013 holiday shopping season. Now the retailing giant has fumbled a second time by providing second-rate credit-monitoring services, a new Consumer Reports analysis has found.
In mid-January, Target said it was offering "additional peace of mind" by giving affected customers free ProtectMyID credit monitoring services from Experian, one of the three big U.S. credit bureaus. The move looked like a reasonable response—with caveats—that seemed to live up to Target's famous value proposition: Expect more, pay less.
But on signing up, I found that the offer actually delivers less and pushes customers to pay up to $74 more.
The service can give consumers a false sense of security, and Consumer Reports can recommend this deal in its present form only as being better than nothing, and only for consumers who understand its significant shortcomings. Here's why.
One-bureau credit monitoring
The type of credit monitoring offered by Target watches only one credit report—Experian's—and not the credit files maintained by Equifax and TransUnion. "The information on each of your three bureau credit reports can be very different," Experian said. Consequently, by not monitoring two of three bureaus, the service could miss fraudulent activity.
Credit monitoring is not much use for most of what is now called “identity theft,” which involves old-fashioned credit card theft, because monitoring watches your credit report, not unauthorized charges to your existing accounts. But it can be useful against new-account fraud, in which a crook uses your Social Security number and other personal information to open credit accounts in your name. Monitoring tracks changes in your credit report that could indicate fraud, such as the opening of a new account or inquiries by a lender deciding whether to extend credit to your doppelganger.
Unfortunately, credit monitoring is a primitive defense against ID theft that can scare you with lots of alerts for day-to-day nonfraudulent changes in your credit report—only 1 in 20 alerts is actual illicit activity—and that can ultimately train you to ignore the alerts.
That's why industry best practices recommend three-bureau monitoring when Social Security numbers have been stolen, because those are the golden key to new credit.
But although Target has assured customers that “there is no indication that Social Security numbers have been taken," the company also knows that the personal information stolen from Target has opened the door to subsequent theft of Social Security numbers. “We are aware of some scams concerning phishing in the form of e-mails, text, fake websites and phone calls designed to steal personal information from our guests in the wake of the recent data breach,” reads the frequently asked questions posted on the company’s website. One Target FAQ involves breach victims receiving a call, text, or e-mail “from someone who said they were with Target asking for my social security number.”
Given that the threat of Social Security number theft is real and heightened for Target customers, we believe that what could be one of the largest security breaches so far warrants three-bureau monitoring.
I asked Target and Experian why they believe one-bureau monitoring is good enough. Experian left the question to Target, whose spokeswoman claimed not to have details about Target's decision-making process and reiterated ProtectMyIDs basic benefits.
Experian sells ProtectMyID to corporations in data-breach crisis, partly by telling them that free credit monitoring makes victims significantly less likely to sue, and gives companies the choice of paying for one- or three-bureau credit monitoring. Target bought and offered the less-expensive one-bureau monitoring.
The giveaway also gives away only one Experian credit report, available online for only one month. It does not provide any Equifax or TransUnion credit reports. To see your credit report again free under this plan, you must wait until after you discover you've become a victim of identity fraud, when someone actually uses your identity to make unauthorized charges to or withdrawals from your accounts or to commit some other theft or crime.
All these lemons for Target customers make lemonade for Experian. As soon as I signed up and got to "My Protection Center," where Experian claimed I was getting "comprehensive identity protection," an Experian ad informed me otherwise and pitched me to buy my "total credit picture. Why wait? View all three of your credit reports and scores now" for $14.95. One breach remediation industry expert who spoke off the record says Experian calls the shots on subjecting Target breach victims to incessant advertising because once the Target "guests" sign up for Experian's credit monitoring service, they become Experian's customers.
Some of those Experian ads exploit consumers who are ignorant of their rights, because consumer protection laws allow ID theft victims to place a free 90-day fraud alert on their credit report and get their credit reports from all three credit bureaus absolutely free. The Experian PLUS score, meanwhile, is a bogus "educational" score that Experian fine print reveals "is not the score used by lenders."
You don't have to spend big on an ID-protection service. Read "Debunking the Hype Over ID Theft" for all the details.
There were still more ads when I viewed my free credit report's summary page ("Add Triple Alert credit monitoring for only $4.95 per month" and "Add your credit score for only $7.95"), my credit inquiries page ("Get 3 credit reports and 3 credit scores in seconds. Order now!"), and my credit score ("Your PLUS score is [blank]. Order yours now to find out!"). A year of three-bureau credit monitoring and the three credit reports and scores package that a worried consumer might buy adds up to $74.35.
We found other significant letdowns:
- Target gave only passing mention of security freezes, a major ID-theft protection tool, in its website breach notice and in some e-mails to customers. The company made no mention of freezes in the breach FAQs. But toward the end of the press release below the message from Target's CEO, Gregg Steinhafel, Target disclosed information for residents of states that have specific laws about credit freezes, including detailed freeze information under the headline, “If you are a Massachusetts resident.” The information appeared oddly out of alphabetical order with information for North Carolina residents. A freeze effectively turns off access to your credit report by anyone trying to open new bogus accounts in your name; lenders (other than those you already do business with) can't pull your file and are thus less likely to approve the loan. Freezes are typically free for identity theft victims in most states, and Target shoppers affected by the breach should realize that they are now ID theft victims.
- It is unlikely that you'll ever need the $1 million identity theft insurance that comes with the service, as most ID fraud victims don't lose a dime out of pocket, and the minority that did suffer a loss were out an average $108 on existing-account fraud and $449 on new-account fraud in 2013, according to the latest available data from Javelin Strategy & Research, a California consulting firm that tracks the incidence of ID fraud. What's more, the insurance doesn't pay (and isn't necessary) if your loss is covered by federal consumer protections and your bank, your homeowners or renters insurance, or a merchant (such as Target), as is typically the case.
- One protection you might want from the insurance—criminal defense if you are falsely accused of a crime committed by your identity thief—comes with a major gotcha: "We will only pay for this after it has been established by acquittal or dropping of charges because you were not in fact the perpetrator."
On the plus side, if you subsequently become a victim of ID fraud, the Target-breach version of ProtectMyID offers assistance that can walk you through the fraud resolution process and answer your questions. (I haven't had a need to use this yet.) This access continues free beyond the first free year.
What you should do
We've been advising how to protect yourself from the Target thieves since shortly after the breach became news, and about what you should do to guard against fraud in general long before that, so if you haven't already read those reports, catch up on the ones referenced here.
As our colleagues at DefendYourDollars.org, an advocacy initiative of Consumer Reports, have said, credit monitoring doesn't monitor your credit-, debit-, and prepaid-card transactions for fraud, so consumers affected by the Target breach still need to do that. We recommend that you sign up for online or mobile access to your bank and credit card accounts, which give you daily real-time access to all transactions.
Target has also advised its customers to watch for attempts by the thieves to get their personal information that could enable them to commit greater frauds. To help guard against that, place free fraud alerts and security freezes on your credit reports at all three credit bureaus, stay safe online and never give personal identity or financial account information to anyone who calls, texts, or e-mails you or knocks on your front door, and learn to spot phishing attempts. If you think your credit, debit, or prepaid card may have been compromised, ask the issuer for a freshly secure replacement.
Finally, while we don't recommend that you pay for identity theft products, because you can do most of what they do yourself for little or no cost, if a company that lost your data offers the service free, take it, but understand the limitations and don't get suckered into automatic renewal.
Visit the Federal Trade Commission's website and do an "identity theft" search for FTC instructions on what to do if you are the victim of identity theft.
Copyright © 2005-2014 Consumers Union of U.S., Inc. No reproduction, in whole or in part, without written permission. Consumer Reports has no relationship with any advertisers on this site.