The theft may be largest ever involving a U.S. retailer
The size and scope of the consumer data heist from Target Corp. last month is much greater than previously thought, with up to 110 million people at risk by the exposure of credit and debit card numbers, as well as mailing addresses, e-mails and phone numbers, the company said Friday.
The revelation means that the data breach may be the largest ever involving a U.S. retailer and could lead to more complex types of fraud and identity theft for many of those affected.
“It’s big, it’s ugly, and it’s not fun for anyone but the bad guys,” said Jacob Ansari, a data forensics investigator at 403 Labs LLC in Brookfield, Wis.
The revelation also means greater risks and challenges for Minneapolis-based Target, which faces federal and state investigations, customer backlash and a growing number of breach-related lawsuits
Attorneys general from New York, Connecticut and Massachusetts said they are joining a nationwide probe into the security breach. Already, the Secret Service and the Justice Department are investigating along with Target and a third-party forensics team.
“A breach of this magnitude is extremely disconcerting, and we are participating in a multistate investigation to discover the circumstances that led to this breach,” said Massachusetts Attorney General Martha Coakley.
Target, the nation’s No. 2 retailer, said customers would have “zero liability” from any damage they suffer due to the theft of its data. It offered to provide free credit monitoring and identity theft protection for customers for a year, with details to come next week.
“I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this,” Gregg Steinhafel, Target’s chairman and chief executive officer, said in a statement.
Steinhafel scheduled an appearance on CNBC Monday morning, a rare interview for the executive who has led Target since 2008 and his first since the company’s initial Dec. 19 statement on the data heist. The company on Friday declined a request to make executives available for interviews.
Target executives told investors Friday to expect financial costs related to the breach throughout the year, though they said it was too early to estimate the size of those charges. The company said its sales slumped following the initial announcement of the breach and, as a result, it lowered its fourth-quarter profit outlook by about 20 percent.
Even so, investors hung in with the company. Target shares closed down just 1.1 percent Friday at $62.62, above the $62.15 close on Dec. 19.
The company’s troubles are far from over because stolen financial information can circulate for a long time, data specialists say, and the costs associated with fixing the problems may expand.
“It sometimes takes months or even years before the stolen card gets used fraudulently,” Ansari said. “Usually, there is a lot of horse trading of stolen cards in the criminal underground.”
Target’s latest announcement marked the second time since the initial revelation that it has disclosed that more data leaked to hackers than was thought. On Dec. 19, the company said that credit and debit card numbers and names of about 40 million customers were obtained. On Dec. 27, it said that customers’ PIN numbers also were exposed, but they were encrypted and the information would be of limited use.
On Friday, Target said personal information, such as phone numbers, addresses and e-mail addresses, for 70 million people also were exposed. Target spokeswoman Molly Snyder said the company doesn’t know how much overlap exists between the original 40 million customers and the additional 70 million, raising the possibility that the data of up to 110 million people was taken.
Al Pascual, a security risk analyst at Javelin Strategy & Research in Pleasanton, Calif., said some of the exposed information that Target acknowledged on Friday is already available in other forms online and in public databases, notably addresses and phone numbers.
“If criminals wanted it, they could go onto Google and get it anyway,” Pascual said. “They don’t have a lot of value to criminals in terms of fraud.”