Fordham Law

Jackpot: Target Data-Theft Victims Become a Credit Agency Gold Mine

Joel Reidenberg in US News & World Report, March 26, 2014

Media Source

It’s a peculiar kind of alchemy, turning crime victims into cash cows.

But that’s just what one of the nation’s three major credit bureaus has accomplished, consumer-protection experts and advocates allege, luring millions of identity-theft victims with a “bargain-basement product” that offers merely “a false sense of security,” all the while “upselling” them far pricier versions that will ultimately reap millions of dollars.

“A victim is now going to be bait for a series of commercial solicitations,” says attorney Joel Reidenberg, a professor and director of the Center on Law and Information Policy at Fordham University’s School of Law, and a visiting professor at Princeton University. “There’s an unfairness in that.”

Last November and December, hackers stole personal information for anywhere from 70 million to 110 million people who shopped at Target during the holiday shopping season, store and state officials said, swiping addresses, names, phone numbers and other personal information.

The breach was one of the largest ever. And in the weeks that followed, Target rolled out what’s become a common response for corporate hacking victims: an offer of free credit monitoring for a year, courtesy of the credit bureau Experian.

“Offering a credit monitoring service has become kind of a way for companies that are the victim of a data breach to earn PR points,” says John Breyault, vice president of public policy for the National Consumers League, an advocacy group. “After almost any data breach, we’ve seen companies offering free credit monitoring.”

Neiman Marcus, Anheuser-Busch, the University of Maryland and even Veterans Affairs extended free monitoring offers after apparent breaches. In fact, Experian, itself, provided free monitoring to its employees after a subsidiary sold sensitive information to a Vietnamese data-theft ring.

U.S. News made several attempts to contact Experian for comment, via both email and phone messages, but the company declined to comment. Experts estimate that millions of customers have signed up for the company's free monitoring services.

Experian's free monitoring, though, amounts to little more than a “bargain-basement product,” says Paul Stephens, director of policy and advocacy for Privacy Rights Clearinghouse.

The alleged problems are twofold. First, Experian’s monitoring service, called ProtectMyID, tracks only what’s known as “new account fraud,” which occurs when someone uses stolen information to try to get a new line of credit, such as with a credit card, car loan or mortgage.

The far more likely type of fraud, though, is “existing account fraud” – when someone uses the credit information they’ve stolen to buy luxury items like Rolex watches and Gucci bags, which they then sell on the street for cash.

“It’s a lot simpler to perpetuate a fraud with existing account information rather than having to go through the more cumbersome process of having to create a new account,” Stephens says. “In fact, in the past couple of years, new account fraud has been tapering off.”

Experian’s ProtectMyID, though, excludes existing account fraud. Moreover, it only tracks the credit inquiries that are sent to Experian, ignoring those made to the nation’s two other major credit bureaus, TransUnion and Equifax.

“It’s a huge gap,” Stephens says.

Here’s why: Different companies use different monitoring services – one car dealership, for example, may use TransUnion to check a buyer’s credit, while another may use Experian. Hence, if a fraudster tries to open a new line of credit with a company that uses TransUnion or Equifax, any Target customers using the free ProtectMyID service won’t find out until months later.

“People may think this credit report monitoring is going to protect them from identity theft, and it doesn’t,” says Avivah Litan, a fraud and security analyst at the technology firm Gartner. “It doesn’t protect them from anything.”

What it does do, instead, is give Experian “a very lucrative business line,” says Reidenberg, the Fordham professor.

ProtectMyID opens an entire new market to Experian – one that may span millions, if not tens of millions, of potential paying customers.

“If you do just a couple napkin calculations, if less than 10 percent sign up for the monitoring service, and less than 10 percent of those people sign up for continued monitoring after the year is up, you can be talking a million people paying at least a couple dollars a month,” Reidenberg says.

Stephens agrees. “These are products that are extremely profitable,” he says. “It may well be that the marketing value is so great that it is possible that Experian provided the service to Target at no cost – or they might have even paid Target for this. We just don’t know.”

In response to inquiries from U.S. News, Target declined to discuss the terms of its deal with Experian. The company, however, did provide a statement addressing the overall issue.

“Target understands some guests are nervous about the impact the recent data breach may have on them,” Sarah Van Nevel, of the company's public relations department, said in an email to U.S. News. “We are offering this product in order to ease all guest concerns and provide peace of mind.”

She adds that while customers would be able to “opt in” to getting offers from Experian, “the default is for guests not to receive any additional promotions from Experian.”

Target shoppers have until April 23 to sign-up for the service. Officials and consumer advocates have urged them to do so.

“There’s no reason they shouldn’t take advantage of it,” Breyault says.

Nevertheless, he and others warned users to be wary of any marketing hype, and most importantly, to be aware of the free credit services that are already available: notably, free annual credit reports, courtesy of all three credit bureaus.

“Monitor your credit report, monitor your credit card statement, dispute suspicious charges,” Breyault describes. “And if you believe you’ve been a victim of identity theft, continue taking more aggressive measures.”