Changing card PIN only first step after Target breach: experts

NEW YORK (Reuters) - Changing the security code for your debit card may be as easy 1-2-3 following a widespread data breach at Target but guarding your personal information from hackers is a longer-term battle, according to experts.

The sign outside the Target store is seen in Arvada, Colorado January 10, 2014. REUTERS/Rick Wilking

Even though the government protects consumers from this type of fraud, you are not guaranteed the store or bank whose computer system is hacked will tell you about the theft of your personal data.

State laws vary on notifying consumers about such theft.

So it’s ultimately up to the consumers to make sure their personal data don’t fall into the wrong hands or at least limit the damage if were to happen.

Report unauthorized charges as soon as possible to your credit/debt card companies and monitor regularly your credit activities via the three major credit bureaus, experts say.

Most importantly, don’t answer calls and emails from people posing as agents of banks and card companies because they are scamming for more information about you, they say.

“Consumers are freaked out about it but as long as you report suspicious activities right away, you have zero liability,” said Greg McBride, senior financial analyst at in North Palm Beach, Florida.

Target, the No. 3 U.S. retailer, said hackers stole the personal data of at least 70 million customers including names, mailing addresses, telephone numbers and email addresses during the year-end holiday shopping season. Earlier, it had said data from 40 million credit and debit cards were stolen.

Neiman Marcus on Friday said it was too a victim of hackers but it was unclear how many of its customers were affected.

Sources familiar with these attacks told Reuters hackers broke into at least three other well-known U.S. retailers’ financial networks during the same period.

A first step for consumers, particular those who used their personal identification numbers (PINs) with their debt card purchases during Christmas, is to change the PIN, but make it that makes the combination tough on hackers.

“Don’t use your birthdate or your dog’s name. Use a combination of letters, numbers and symbols like hashtags and question marks. Make your PIN harder to crack,” said Ed Mierzwinski, consumer program director at U.S. PIRG, a Washington-based consumer group.

Even a tough PIN combination is not foolproof against hackers who have becoming increasingly sophisticated. “If they got it, they got it,” Mierzwinski said.

Rather than changing your security code and risk another hacking, request for a new credit or debt card.

As the fallout of this latest cyber attack mushrooms, banks might end up issuing millions of new cards anyway because they could be on the hook for millions of bad charges.

“Fraudulent transactions could pile up pretty quickly. We might on the verge that card issuers might issue a lot of new cards and accounts,”’s McBride said.

Changing your PIN and getting a new card are quick fixes. You still need to make sure hackers haven’t racked up purchases under your identity, analysts said.

Watch for suspicious purchases online and notify your card issuer right away. Don’t ignore even small charges because the scam artists might be testing to see whether they could get away bigger ones later.

Consumers are entitled to a free annual credit report from each of the major bureaus, Experian, Equifax and TransUnion.

These credit reporting agencies also offer monitoring services for a monthly fee, but PIRG’s Mierzwinski said they are pricey and unnecessary.

In cases of breaches like Target, a company often buys them for its customers for a period of time, according to experts.

Perhaps most important of all, high-tech con men who already have some information on you will likely want more.

Don’t give your PIN, birthdate and Social Security number over the phone or email, which are vital data to open new card accounts and apply for loans. These “phishing attacks” often pose as inquiries from bank and card companies.

If you get such type of calls, hang up, call the number on your card and tell the bank you received a phishing call.

Or it comes via email, don’t open it because it might contain a computer virus that is created to retrieve personal data. Just delete it, said PIRG’s Mierzwinski said.

While Target’s data theft which is still unfolding is unsettling, “don’t panic, you are protected,” Mierzwinski said.

Reporting by Richard Leong; Editing by Bernard