The disclosure is another hitch for the retailer during a rocky entry into its first international market.
Target Corp. has been e-mailing Canadian customers that some of their personal information was taken during the data heist late last year.
The personal information was in the second haul of data from the Target theft, which included names, mailing addresses, phone numbers or e-mail addresses, as opposed to payment card data. The stolen personal information involves about 70 million people altogether, although only a small portion of that affects Target’s customers in Canada, where the company operates 124 stores.
The e-mails to Canadian customers started going out this week, said Target spokeswoman Molly Snyder.
This is the first time Target has described an international impact, a disclosure that comes at an awkward time as the Minneapolis-based retailer fights for success in Canada.
The affected Canadian shoppers didn’t necessarily shop at a physical Target store during the breach period or cross the border to a U.S. store, Snyder said. She emphasized that Target still believes that debit and credit card information affecting 40 million accounts was taken only from point-of-sale devices in its U.S. stores, not those in Canada.
Rather, the limited personal information the thieves snatched had been acquired by Target “during normal course of business,” Snyder said.
“Please know that our Canadian stores were not impacted by the unauthorized access to payment information,” the company said in a note to customers about the breach posted on its Canadian website. (The words “were not” were underlined for emphasis.)
Snyder said the majority of the e-mail addresses “came from things when a guest makes a purchase on Target.com, signed up for a weekly ad, managed a Redcard online or set up a registry.”
Because of the ongoing investigation into the giant 19-day data breach, the company isn’t saying exactly how thieves gained access to the personal information, just that the theft is linked to the security breach, which was caused by malicious software that infiltrated the point-of-sale systems at Target’s U.S. stores.
“At this time there is no indication there’s been any impact to Social Security [numbers] or driver’s licenses,” Snyder said.
The cyberthieves hit the country’s No. 2 discount retailer at a particularly bad time, striking during its entry into the Canadian market and the critical holiday shopping rush.
Target’s much-anticipated entry into Canada, its first big international expansion, hasn’t gone smoothly, with the cheap-chic retailer struggling to keep merchandise on the shelves and alienating some customers with higher prices north of the border.
James Smerdon, vice president and director of retail consulting at Colliers International Consulting in Vancouver, said he thinks Canadians represent about 1 percent of the 70 million people whose personal information was taken, or about 700,000 people.
Smerdon called the breach and subsequent e-mails to Canadians “very lousy timing” for Target, but said he doesn’t think it will have a big long-term impact on the retailer’s northern rollout.
“These things are happening so frequently that I think the Canadian shopper is getting a little bit numb to the idea of data breaches,” Smerdon said. “The Target rollout into Canada … I hate to say it bluntly, but it probably couldn’t be too much worse at this point. It’s just one more thing.”
Target also confirmed Tuesday that it shut down remote access to parts of its internal Web operations as it tightened up security in response to the breach, but it would not say which parts.
Dow Jones reported Tuesday that Target shut down two internal websites, one for employees called eHR and another for suppliers called Info Retriever, used to track sales data. The supplier system went dark Dec. 19, the day the Target breach became public, according to the Dow Jones report, and was back online last week. Company e-mails to suppliers said the outage was due to maintenance.