Target says data breach is far larger than first estimated

The data breach at Target Corp. is dramatically larger than first estimated, affecting as many as 110 million consumers and deepening a public relations nightmare for the beleaguered retailer.

The Minneapolis company said Friday that the personal information of as many as 70 million people — including names, addresses, emails and phone numbers — was stolen during the year-end holiday shopping season.

That is in addition to the 40 million customers that Target originally said were hit by the cyberattack.

Though there is likely to be overlap between the two groups, the Target attack now appears to rank as the nation’s biggest cybercrime against a single retailer. The 110 million potential victims represent about 45% of the U.S. adult population.


“We’re at a scale that has probably never been seen before,” said Scott Mitic, senior vice president at Equifax, a consumer credit rating firm. “This is going to be a case study that people will talk about for another decade.”

The two batches of data were stolen simultaneously but affected different sets of data and customers.

Target disclosed the theft of the first batch Dec. 19, saying cyberthieves lifted primarily financial information from people who shopped at its stores between Nov. 27 and Dec. 15.

The hackers made off with credit and debit card information, including customer names, card numbers and a security code encrypted in cards’ magnetic strips. Target later disclosed that personal identification numbers also were snatched, but said the PINs were encrypted.

The second batch of data disclosed Friday encompassed largely personal information such as names, addresses, phone numbers and email addresses. This part of the attack affected anyone who shopped online or in a store, over an indeterminate amount of time.

The risk to customers, experts said, is if the culprits can match personal and financial details from the two batches. That would clear a path for them to make fraudulent purchases, siphon money from bank accounts or steal victims’ identities.

Target promised Friday to offer customers free credit monitoring and identity theft protection for one year. It will provide more details in the coming week and customers will have three months to sign up.

“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” Target Chief Executive Gregg Steinhafel said in a statement.


Much about the Target attack remains unknown, including who pilfered the data and how they carried off such a coordinated scheme.

Target appears to be moving quickly to assess what happened, but it will take months to determine the scope, said Shane Shook, a computer security expert for Irvine-based Cylance Inc. who has worked on some of the biggest breaches in the retail industry.

Target has “released a lot of information very quickly in comparison to past retail breaches,” Shook said. “But what they’re demonstrating is they simply don’t know the extent of the breach yet or how many people are going to be affected.”

The attack is weighing on Target’s bottom line. The company lowered its fourth-quarter earnings projections Friday, saying the fallout had eaten into sales.


Fourth-quarter earnings per share will be $1.20 to $1.30, down from the previous estimate of $1.50 to $1.60, the company said. Sales were stronger than expected prior to the disclosure of the hack but “meaningfully weaker” afterward.

The data hack has been a public relations fiasco for Target. Aggrieved customers have blasted the company on social media for allegedly lax security controls and for the difficulty in reaching phone operators afterward.

Friday’s announcement added to the angst of customers such as Trish Mack who are worried about their financial identities.

Mack, a 50-year-old from Spokane, Wash., shopped at a Target store in early December with her credit card. On Dec. 17, two days before Target’s first disclosure, she was alerted to several fraudulent charges racked up on her credit card and also that her email account had been hacked.


There is no way to know for sure whether the hack on her accounts is directly related to Target. But that doesn’t make her feel any better.

“Not only are we frustrated, we’re worried,” Mack said. “What other information do [the hackers] have?”

David Johnson, head of a crisis communications firm in Atlanta, faulted Target for what he sees as the company’s awkward release of information.

Target “continues to roll out ‘we found this out, we found that out,’” Johnson said. “But they’re not putting a human face on the responses or explaining why this is taking so long to have this come out.”