Target Supremacy: What You Should Know About the 2013 Security Breach

Part 6 in the series: 21st Century Jim Crow in the North Star City

Since Target Corporation’s massive hack in 2013, some significant information has come to light, like the fact that Target was extracting extremely sensitive information from millions of its own customers before it was compromised. Additionally, Target has invested heavily in mass surveillance technologies and policing, and produced unprecedented public-private partnerships with governments, making it one of the most powerful corporations in the U.S.

What sets Target apart from the crowd is an aggressive datamining of customer interactions. That includes customers’ cell phones, web cookies, purchase histories, prescription and other health information.

Reuters, 2014

Revisiting Target’s “Great Hack”

Eight years ago this week, it was revealed that Target was at the center of the largest retail hack in U.S. history, with millions of customers’ info compromised, including 40 million credit cards, and 70 million names, addresses, emails, and other “personal info” according to Bloomberg Businessweek. At the time it was the second largest credit card theft in history, the AP reported. Instead of informing their customers immediately, Target took several days.

Outside of Target’s flagship store in downtown Minneapolis / Photo contributed by Marjaan Sirdar

Bloomberg reported that Target’s computer security team was notified of the data breach by FireEye, the cyber security vendor they recently purchased services from. Target had ample time to disrupt the hack, but instead ignored the massive breach of up to 110 million customer’s most sensitive information. “The story they tell is of an alert system, installed to protect the bond between retailer and customer, that worked beautifully. But then, Target stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes.”

Target didn’t act until the U.S. Dept. of Justice contacted them weeks later on December 12, 2013. Target never provided the public an explanation for its seeming negligence.

The U.S. Senate investigated the hack and included in their findings that “…Target’s security team neither reacted to the alarms nor allowed the FireEye software to automatically delete the malware in question. Target’s Symantec antivirus software also detected malicious behavior around November 28, implicating the same server flagged by FireEye’s software.”

This is significant considering how Target aggressively goes after shoplifters. Two years before the hack, the Boston Globe reported, “Security technicians compile alerts throughout the day and blast them out to stores to keep them aware of ongoing issues. For example, last week, a local man was suspected of stealing electronics from area Targets, so shops were put on notice.”

Activists are losing trust in America’s retail darling. Paul Stephens, director of policy and advocacy at Privacy Rights Clearinghouse, an advocacy group, said Target is already a leader in the data mining industry and “that makes this breach all the more frightening.”

It is notable that at that time Target itself was collecting much more info from their customers than shopping preferences and social media likes.



Target’s Data Universe and Surveillance Capitalism

Target and other major corporations extract enormous amounts of shopper information and compile massive private dossiers on customers. Data mining is done through “linkability,” or combining that info with other sources that can be assembled into a deep portrait of that person’s public and private affairs, including financial.

Screenshot from Target’s website of a job post in the field of A.I.

Data mining companies are able to retrieve sweeping information on the general population from several ways, including working with other big data firms, international hackers, intelligence agencies, and governments around the world.

Few retailers have invested in big data like the Minneapolis corporation. Target erected its own data warehouses in Elk River (2007), and Brooklyn Park (2014), a security operations center (or corporate command center commonly known as C3) in downtown Minneapolis, a data sciences office in Pittsburgh, a global capabilities center in Bengaluru, India, dozens of investigation centers, and a massive surveillance empire to collect troves of information on the public. Target has engaged in this practice for over two decades with little scrutiny.

According to Reuters, “The company can identify by name more than half the customers who walk into their stores and browse their website […] What sets Target apart from the crowd is an aggressive datamining of customer interactions. That includes customers’ cell phones, web cookies, purchase histories, prescription and other health information.”

They assign every shopper a Guest ID number, tied to their credit card, name, and email address, becoming a bucket that stores a history of purchases Target can then monitor and aggregate with additional customer info they collect and buy from other data companies.

In 2012, the New York Times Magazine published an excerpt from the bestselling book, The Power of Habits: Why We Do What We Do In Life and Business, by Charles Duhigg. Duhigg dug deep into Target’s massive data mining operations. According to the author:

Also linked to your Guest ID is demographic information like your age, whether you are married and have kids, which part of town you live in, how long it takes you to drive to the store, your estimated salary, whether you’ve moved recently, what credit cards you carry in your wallet and what websites you visit. Target can buy data about your ethnicity, job history, the magazines you read, if you’ve ever declared bankruptcy or got divorced, the year you bought (or lost) your house, where you went to college, what kinds of topics you talk about online, whether you prefer certain brands […] your political leanings, reading habits, charitable giving and the number of cars you own.”

Charles Duhigg, The Power of Habits: Why We Do What We Do In Life and Business

Consultant and chairman of the Predictive Analytics World conference, Eric Siegel told Duhigg, “Almost every major retailer […] has a ‘predictive analytics’[…] department’ but Target has always been one of the smartest at this.”

Surveillance capitalism is a system resulting from corporate data mining of the public that predicts individual shopping habits, where corporations manipulate human behavior that keeps consumers spending and maximize profits. Under surveillance capitalism, humans and their predicted habits are the commodity.

In Shoshana Zuboff’s critically acclaimed book, The Age of Surveillance Capitalism, she explained:

Surveillance capitalism unilaterally claims human experience as free raw material for translation into behavioral data. Although some of these data are applied to product or service improvement, the rest are declared as a proprietary behavioral surplus, fed into advanced manufacturing processes known as ‘machine intelligence,’ and fabricated into prediction products that anticipate what you will do now, soon, and later. Finally, these prediction products are traded in a new kind of marketplace for behavioral predictions that I call behavioral futures markets. Surveillance capitalists have grown immensely wealthy from these trading operations, for many companies are eager to lay bets on our future behavior.”

Shoshana Zuboff, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power (2019)

Targeting Your Kids

Corporations don’t just track adult consumers, they also track children. As explained in the documentary film, The Great Hack, kids growing up today in the age of social media will have massive private dossiers collected on them by the time they become adults. With this data, corporations can classify children according to their behavior, in order “to lay bets on future behavior.”

In early 2013, months before it was hacked, Target was part of a class action lawsuit for spying on the public, adults and children alike, using predatory technology called Flash cookies.

According to the online legal news service, Law360:

Target Corp. and Toys R Us Inc. surreptitiously installed tracking software on consumers’ computers that allowed them and other advertisers to monitor the consumers’ Internet browsing history and collect personal information, according to proposed class actions removed to Missouri federal court last week

[Target] allegedly installed […] flash cookies […] which allowed them to access the browsing histories of any consumer every time they revisited the website.”

Law360

Target and all of its innovative ways to spy on adults and children give new meaning to a story told recently on the ‘Money. Power. Land. Solidarity’ podcast by host GP Jacob. He recalled years ago when the multinational corporation sponsored the new media center at a local Minneapolis elementary school where he worked. He said they made the teachers dress up in red like Target employees.

Getting caught using Flash cookies leaves little room for doubt that this was an opportunity for Target to collect student’s personal and academic data, and monitor their online activities.

Charles Duhigg documented the retailer’s cutting edge technology that targets expecting mothers in his chapter, “How Target Knows What You Want Before You Do.” Marketing analyst Andrew Pole created Target’s pregnancy prediction model. From analyzing customer demographics and shopping habits, the corporate giant can tell with an incredibly high amount of accuracy if a woman or girl is pregnant. Expecting mothers spend major money with retailers, according to Target, giving them a technological advantage over some other competitors vying for this demographic.

A year after it began using its pregnancy prediction poll, an angry father walked into a Minnesota Target store demanding to see the manager, Duhigg documented in his book. “My daughter got this in the mail,” he said holding a Target advertisement. “She’s still in high school and you’re sending her coupons for baby clothes and cribs. Are you trying to encourage her to get pregnant?”

Turns out the girl was pregnant. Target eventually stopped speaking to Duhigg and prohibited him from being on the property of its headquarters in downtown Minneapolis.


Facial Recognition Tech Used in Target Stores

It was first reported by the Boston Globe in 2011 that Target was spying on shoppers, implying that the corporation was using facial recognition technology (FRT) in stores.

The Minneapolis corporation was collecting biometric data from customers when the Globe quoted one Target forensics specialist saying, “We are using state-of-the-art equipment to gather as much intelligence as possible, reduce business risks, and take down criminals.”

It also reported that Target has “one of the largest and most advanced networks of cameras.” They described technology called gaze trackers that are hidden inside Target store shelves that track which brands customers are looking at and for how long, stating that it has “a system that automatically sends alerts when shoppers dwell too long in front of merchandise…”

In March 2013, it was confirmed by Consumer Reports (CR) that Target collected information from store visitors “recorded by in-store cameras,” according to the retailer’s own privacy policy. The publication alerted readers to retailers who use “super spy cams” hidden in mannequins that monitor shoppers.

Eight months before Target’s hack, CR forewarned of the consequences to corporations, including Target, of amassing sensitive customer data and falling prey to data miners:

Video can be merged with a store’s other data, such as footage of you at the cash register plus the transaction details of what you bought, for how much, using what credit card. Your face and vehicle license plate can be linked. If that info is not securely stored, it could be hacked. Stores don’t provide sufficient disclosure, so you can’t opt out to protect your privacy.

ShopSmart Magazine, Consumer Reports, March 2013

When they questioned Target about its vast surveillance system and data collection on customers, CR reported that “Target refused to comment about the store’s use of video analytics and other tools.”

The retailer extracted biometric data using FRT on every person that walked through the doors of selected stores, for an undisclosed amount of time, according to Buzzfeed. It reported that Target and other retailers have been collecting sweeping biometric data from millions of customers for years without their consent or knowledge.

A spokesperson for Target provided Unicorn Riot with the following statement:

Target doesn’t use facial recognition software in any of our stores. We keep our stores safe by conducting regular team training and implementing robust security procedures. We concluded a facial recognition software test in a small number of Target stores in the summer of 2018 to understand its ability to help prevent fraud and theft. The test was solely related to security and before the test, we updated our privacy policy and posted signs at the entrance of the impacted stores to inform guests of the additional security measures.

Target Spokesperson

However, it is clear they were using FRT well before it got hacked in November 2013. It is also clear from past reporting on the massive hack that the primary media focus was on stolen credit card info and Target never had to account for its customers’ biometric data when up to 110 million customer’s “personal info” was compromised.


Part 5 in Series: Activists Target Target’s Cop Collaboration

Investments in Mass Surveillance and Incarceration

As documented throughout this series, Target has invested heavily in mass surveillance technologies and law enforcement since the early 2000s with its SafeZone/Safe City surveillance program. It began in downtown Minneapolis with the installation of 30 CCTV cameras. It eventually expanded citywide and nationwide.

Surveillance became such an integral part of Target’s business model that in 2006 top executives made jarring revelations via the Washington Post: “In many ways, Target is actually a high-tech company masquerading as a retailer.”

The corporate giant first began funding cops in 1990 when it launched its Law Enforcement Grant Program. However, following 9/11, Target began heavily investing in police and mass surveillance technologies.

According to Bloomberg Businessweek, “For decades, Target fostered partnerships with law enforcement unlike those of any other U.S. corporation. It became one of the most influential corporate donors to law enforcement agencies and police foundations, supplying money for cutting-edge technology and equipment.”

In 2003, a year before the launch of the SafeZone, Target opened up two state-of-the-art crime labs where their “investigators” analyze video, audio, and image forensics to aid security and local police in fighting crime.
Target made it clear to the Washington Post that they are proponents of data fusion, or data integration across sectors, arguing that info sharing could help fight crime. Target’s vice president compared tracking criminals to tracking inventory: “It struck me that following repeat criminals was really an inventory-management problem.”

As detailed throughout this series, Target’s public-private surveillance apparatus between downtown Minneapolis businesses, nonprofits, and police included the Downtown 100 Initiative (DT100), supposedly designed to target repeat offenders. The DT100 has been criticized for its targeted surveillance of Black youth experiencing homelessness with data mining precision.

One group likened this to slavery.


Intelligence, Forensics Services, and More

Following 9/11, Target boasted of its crime fighting capabilities, its partnership with police around the world, its two state-of-the-art forensics labs, and the services it offered local law enforcement free of charge. By 2009, Target investigators had the capabilities of doing much more than analyzing audio, videos, and photos of crime suspects.

Four years before the Target hack, the retailer was a vendor at the National Association for Justice Information Systems conference in Nashville.

Target’s presentation was titled, “Intelligence: Gathered, Analyzed, Disseminated, & Managed.” Other vendors at the conference presented on new innovations such asBiometrically Enabled Prison Management Systems,” and how to develop a “National Information Exchange Model.”

Unicorn Riot obtained a handout from Target’s presentation that listed resources and services they offer to law enforcement for free, which included: intelligence analysis, man power for search warrant executions, surveillance van, sting trailer, and more as listed on the “Target Investigations Resources” handout below.

In 2013, months before the massive hack, Target hosted a social media training for law enforcement around the country on how to use major online platforms more effectively for surveillance and other purposes.

The Stop LAPD Spying Coalition, a Los Angeles based advocacy group dedicated towards “abolition of the police state” shared a brochure of the LAPD regional crime center sponsored by Target that reads: “INVESTIGATE – COLLABORATE – INCARCERATE.” The group told its Twitter followers to “Remember that motto next time you see pearl clutching about looting at a Target.”


Warnings of and Whistle Blowing on the Public-Private “Surveillance State

Civil libertarians have long pushed back against government and private sector partnerships and forewarned about the implications of dragnet surveillance on the general population for the purpose of control, but under the guise of “fighting terrorism.”

In 2004, the ACLU warned:

“…acting under the broad mandate of the ‘war’ on terrorism, the U.S. security establishment is making a systematic effort to extend its surveillance capacity by pressing the private sector into service to report on the activities of Americans […] [with] vast computerized networks that automatically feed the government a steady stream of information about our activities.”

ACLU Statement

Yale Law School professor Jack Balkin wrote in 2008 that massive data mining operations are nothing less than the government’s way of backdoor spying on Americans in what he called the “National Surveillance State.”

The line between public and private modes of surveillance and security has blurred if not vanished. Public and private enterprises are thoroughly intertwined.”

Jack M. Balkin, Minnesota Law Review

It is important to note that Target is not just funding local law enforcement. According to Target, it also partners with the FBI, Immigration and Customs Enforcement (ICE), the Department of Homeland Security (DHS), in addition to funding local county prosecutors, paralegals, probation officers, and city attorneys. Target has extraordinary reach into local and federal government and law enforcement with the multinational corporation seeking to blur the lines.

In his book “Mindf*ck“, Christopher Wylie, a former private sector counterintelligence operative and Cambridge Analytica data scientist turned whistleblower, said the British company Strategic Communication Laboratories’ (SCL) business model was particularly for the purpose of taking “projects that governments couldn’t officially undertake themselves,” due to legalities, and sharing that info with its leaders. SCL was a psychological warfare company that peddled propaganda, and swayed elections, Wylie wrote.

Its subsidiary, Cambridge Analytica (CA), the now-defunct data mining company that was instrumental in the election of former President Donald Trump and the subject of the film The Great Hack, bragged about having 5,000 data points on every American voter.

We asked a spokesperson from Target if the company ever did business with Cambridge Analytica and he responded that he personally didn’t know of any connection but would do some research and follow up. However, his follow up did not include an answer to this particular question.


For decades Target has extracted massive amounts of information from its customers including biometric data, before it got hacked by perpetrators whose identities are still unclear. In May 2017, Target agreed to pay $18.5 million to close investigations with state attorneys general over the massive security breach affecting up to 110 million customers, but it was never mandated to explain why they ignored the hackers, or identify specifics about customer data that was stolen.

Target, having volumes of the public’s information, considering their unprecedented partnership with government and police and its history of allowing 110 million of its customer’s data to get hacked, should give everyone pause.

Unicorn Riot reached out to Target for answers around the questions of whether customer biometric data was leaked in 2013, and why Target stood back and allowed the hack to happen in the first place, but a spokesperson just referred us to its website for all info related to the data breach.

In hindsight, what is clear is the customer credit card numbers were not nearly as valuable as the aggregated data itself. According to one whistle blower featured in The Great Hack, “Data surpassed oil in its value. Data is the most valuable asset on earth.” And according to a former Target executive who helped pioneer its counterintelligence operations, “[Target’s] most important asset was data analytics on guests.

21st Century Jim Crow in the North Star City – A Series Contributed by Marjaan Sirdar:

About the author: Marjaan Sirdar is the host of the People Power Podcast and filmmaker of the upcoming documentary, Targeted – Part 2

Cover photo and art by Marjaan Sirdar.


Follow us on Twitter, Facebook, YouTube, Vimeo, Instagram, and Patreon.

Please consider a tax-deductible donation to help sustain our horizontally-organized, non-profit media organization:
supportourworknew
More from Unicorn Riot 🦄