I don't understand breached retailers offering "identity theft and credit monitoring solutions" just because CC data was leaked. The big winners are Equifax/Experian/Transunion and "security companies" who now get to sell Michael's, Target, etc. multiple millions of dollars in services that just hurt their bottom line and/or increase prices for consumers.
It's not like Michael's and Target, both of which I shop at, have the magic "shared secret" of SSN, address, and DOB. It's just a credit card. Worst case scenario, some transactions show up that I didn't authorize, and I report it. Credit card fraud is not the same as "identity theft"!
It's never anything simple, like plain incompetence or not following "best practices". In this case we're told it was "highly sophisticated malware".
Yeah, sure, because a store that sells low cost craft supplies like Michaels does is undoubtedly a "high value" target worthy of only the most advanced malware ever written.
You don't have to be a high value target to be a target, you just have to be online, vulnerable, and have something worth taking. Most companies fall under that umbrella. Likewise, highly sophisticated malware doesn't mean that someone wrote the most advanced malware ever, just that Michaels was protected yet still vulnerable in some way. All it took was finding out how, and that's not easy either. Heartbleed is dead simple, but still took years to discover, for example.
Information security is hard. You have to be right 100% of the time, while the attackers only have to be right once. Best practices and competence will only get you so far. If someone wants to get in and you were only 99% right, they WILL get in. Its just a matter of time.
