BBC Capital

Four shocking customer data breaches

  • Shopper insecurity

    More than 40 million holiday shoppers at US retail giant Target have more to worry about than whether they found the perfect gifts. The corporation announced this week hackers had been stealing payment card information at every one of its retail locations since late November.

    Target’s woes are just the latest in a long list of security scares at major retailers, online providers and even gaming networks. Perhaps it’s no wonder. Today, just about every online move you make requires a personal login, password and profile. Card data and identifying information is often automated and stored. One-touch payments are becoming more common for everything from taxis to treats.

    While streamlining and linking up personal information makes it easy on-the-go, it also creates multiple points of entry for potential security breaches and network hacks and cause serious inconveniences and issues.

    Since the only real preventions — always paying in cash or to never creating a profile on a network of any kind—aren’t feasible for most consumers, it’s important to take vigilant measures to protect your personal and financial data.

    Scroll through the images above to see details about four of the biggest security breaches in recent years, including at Target, and learn ways to avoid becoming a security statistic.

    (Joe Raedle/Getty Images)

  • Customers in the bulls-eye at Target

    Target said on 19 December it was investigating a security breach involving hackers accessing the company’s payment system.

    The criminals had been collecting payment card information undetected since around 29 November, known as Black Friday, one of the busiest US shopping days of the year, through 15 December. Investigators estimate the details of up to 40 million credit cards might have compromised.

    The thieves managed to install malware at credit card payment machines in Target’s about 1,797 stores. The code copied and stored sensitive card details, including the credit card security codes found only on the cards themselves.

    KEEP-SAFE TIPS: Keep your receipts and crosscheck purchases with charges. Regularly review credit and debit card activity. Your card company likely will alert you about significant suspicious usage, but many times such breaches are small and only small amounts may be charged to your accounts.

    Stay vigilant. Hackers crafty enough to install malicious code across every store location of a behemoth retailer (as in this case) likely are often able to do so for a period of time without drawing too much attention. Further, many hackers sell the lifted data and suspicious charges can only first appear months later. To be extra safe, just cancel a credit card you think has been compromised.

    (Joe Raedle/Getty Images)

  • A losing hand on Sony PlayStation

    It was not all fun and games in the aftermath of a widespread Sony PlayStation Network hack in 2011.

    The incident affected some 70 million gamers around the world and became one of the biggest corporate leaks ever. The attack on the PlayStation Network (PSN) caused an outage that lasted a few days. During that time, users’ passwords were hacked, making personal information and payment data vulnerable.

    The UK Information Commissioner’s Office (ICO) fined Sony Computer Entertainment Europe following the breach, pointing to the country’s Data Protection Act and stating the attack “could have been prevented”. Data protections in the UK are stronger than those in many other countries.

    Users of gaming networks are often distracted by the games themselves and not paying close attention to their accounts, one reason video game companies’ databases are common hacking targets. Big players like Sony and Nintendo and smaller-scale companies like France’s Ubisoft have reported illegal attempts to access into their systems.

    KEEP-SAFE TIPS: Children often divulge personal information unnecessarily when creating profiles for gaming and other networks. Make sure they — and you — are only sharing what’s absolutely required to log in or play.

    Be sure you know what information had been collected. A user’s location and card payment information are commonly requested, for instance. If you trade in or sell a console, be sure to wipe it of saved sensitive information first.

    (Joel Saget/Getty Images)

  • Fashionista’s face a card-theft fest at TJX

    In what was a cross-continental credit and debit card information heist — the most serious in the US so far — hackers collected card payment information over more than 18 months from retailer TJX. TJX owns discount chain stores TJ Maxx, Marshall’s and HomeGoods in the US and Puerto Rico, Bob’s Stores in the US, TJ Maxx in the UK and Winners and HomeSense stores in Canada.

    It is estimated that the thieves gained illegal access to some 45.7 million credit and debit cards, with shoppers at the US, UK, Canada, Ireland and Puerto Rico locations of the company’s stores affected. TJX announced they had discovered the long-running breach in early 2007.

    According to a document the company filed with the US Securities and Exchange Commission (SEC), “the intruder had access to the decryption tool for the encryption software utilized by TJX.” TJX was believed to have been hit before, too; the company discovered in its investigation that bank card details also had been missing beginning in 2002.

    KEEP-SAFE TIP: If you’re going to use plastic, consider using a credit card rather than a debit card. It’s less difficult to dispute something you haven’t yet paid (a charge) rather than a purchase that has already been debited from your checking account.

    (Paul Morigi/Getty Images)

  • You’ve been searched at AOL

    Email and search-engine provider AOL was embarrassed in 2006 when its AOL Research unit accidentally released a file to the public that detailed online searches of more than 650,000 of the company’s US subscribers. While subscribers’ names were not linked directly to the searches, many feared they could be traced back to users.

    AOL said the release, which was intended to be a private posting, was an “innocent attempt to reach out to the academic community with research tools”. The company became aware of the mistake when a number of blogs discovered the file. It was removed, but not before copies were made and circulated.

    The slip-up landed AOL in the middle of a Fortune Magazine ranking of the “101 Dumbest Moments in Business” and led to the resignation of one of AOL’s top executives, chief technology officer, Maureen Govern.

    KEEP-SAFE TIP: It may sound a bit like Big Brother, but make sure you understand that when you search or browse online, every key stroke can be dug up and traced back with a little (or a lot of) effort. Always double-check your privacy settings and try to use private browsing when online. Check for a URL to begin with “https:” which shows you have secured communication on the site, when you want to protect your online activity, such as shopping and banking.

    (Scott Barbour/Getty Images)