Target customers whose info was stolen may include online shoppers

Target customers whose information -- name, addresses, phone numbers and email addresses -- was stolen need not have shopped at the retailer’s stores during the busy holiday shopping season, a spokeswoman confirmed Friday.

The information, said Target spokeswoman Molly Snyder, was collected during the “course of normal business,” and could include online shopping.

Friday’s latest disclosure by the Minneapolis-based retailer that hackers made away with the data of 70 million additional Target customers shows that the data breach late last year was far larger and broader than previously thought.

Target initially said Dec. 19 that debit and credit card information for 40 million customers was pilfered during the busy holiday shopping season between Nov. 27 and Dec. 15. About a week later, the retailer also reported that the hackers had accessed “strongly encrypted” personal identification numbers when they tapped into the retailer’s systems.

The retailer said the theft of the information from up to 110 million customers was not a new breach but was uncovered as part of the ongoing investigation into the theft of millions of customers’ credit and debit card information.

“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” said Gregg Steinhafel, Target’s chief executive said. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”

The retailer is offering one year of free credit monitoring and identity theft protection to all affected customers who shopped at U.S. stores. Customers will have three months to enroll, Target said in a statement.

Target also reported that sales at its U.S. unit were “meaningfully weaker” after the data breach was reported. The company’s reputation has taken a hit, surveys show, and the company is facing lawsuits and accusations that it waited too long in disclosing that its system had been hacked.