The size and scope of the consumer data heist from Target Corp. last month is much greater than previously thought, with up to 110 million people at risk by the exposure of credit and debit card numbers, as well as mailing addresses, e-mails and phone numbers, the company said Friday.
The revelation means that the data breach may be the largest ever involving a U.S. retailer and could lead to more complex types of fraud and identity theft for many of those affected.
“It’s big, it’s ugly, and it’s not fun for anyone but the bad guys,” said Jacob Ansari, a data forensics investigator at 403 Labs LLC in Brookfield, Wis.
The revelation also means greater risks and challenges for Minneapolis-based Target, which faces federal and state investigations, customer backlash and a growing number of breach-related lawsuits
Attorneys general from New York, Connecticut and Massachusetts said they are joining a nationwide probe into the security breach. Already, the Secret Service and the Justice Department are investigating along with Target and a third-party forensics team.
“A breach of this magnitude is extremely disconcerting, and we are participating in a multistate investigation to discover the circumstances that led to this breach,” said Massachusetts Attorney General Martha Coakley.
Target, the nation’s No. 2 retailer, said customers would have “zero liability” from any damage they suffer due to the theft of its data. It offered to provide free credit monitoring and identity theft protection for customers for a year, with details to come next week.
“I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this,” Gregg Steinhafel, Target’s chairman and chief executive officer, said in a statement.
Steinhafel scheduled an appearance on CNBC Monday morning, a rare interview for the executive who has led Target since 2008 and his first since the company’s initial Dec. 19 statement on the data heist. The company on Friday declined a request to make executives available for interviews.
Target executives told investors Friday to expect financial costs related to the breach throughout the year, though they said it was too early to estimate the size of those charges. The company said its sales slumped following the initial announcement of the breach and, as a result, it lowered its fourth-quarter profit outlook by about 20 percent.
Even so, investors hung in with the company. Target shares closed down just 1.1 percent Friday at $62.62, above the $62.15 close on Dec. 19.
The company’s troubles are far from over because stolen financial information can circulate for a long time, data specialists say, and the costs associated with fixing the problems may expand.
“It sometimes takes months or even years before the stolen card gets used fraudulently,” Ansari said. “Usually, there is a lot of horse trading of stolen cards in the criminal underground.”
Target’s latest announcement marked the second time since the initial revelation that it has disclosed that more data leaked to hackers than was thought. On Dec. 19, the company said that credit and debit card numbers and names of about 40 million customers were obtained. On Dec. 27, it said that customers’ PIN numbers also were exposed, but they were encrypted and the information would be of limited use.
On Friday, Target said personal information, such as phone numbers, addresses and e-mail addresses, for 70 million people also were exposed. Target spokeswoman Molly Snyder said the company doesn’t know how much overlap exists between the original 40 million customers and the additional 70 million, raising the possibility that the data of up to 110 million people was taken.
Al Pascual, a security risk analyst at Javelin Strategy & Research in Pleasanton, Calif., said some of the exposed information that Target acknowledged on Friday is already available in other forms online and in public databases, notably addresses and phone numbers.
“If criminals wanted it, they could go onto Google and get it anyway,” Pascual said. “They don’t have a lot of value to criminals in terms of fraud.”
Target has said hackers obtained the customer data by burrowing into the company’s point-of-sale system and installing malicious software that collected data whenever a customer swiped a payment card at checkout.
After Target first revealed the breach last month, customers swamped the company with phone calls seeking details, while politicians and state prosecutors criticized the company, and the Justice Department launched its investigation. Some banks temporarily imposed limits on the amounts of money that could be withdrawn from accounts that people used to pay the retailer.
Little fraud reported
But so far, relatively little fraud has been reported resulting from the Target breach.
Scott Mayer of Minneapolis suspects his card got caught up in the heist after he bought an iPad at Target’s downtown Minneapolis store. His credit card company alerted him after a suspicious charge was made from a Best Buy in Seattle. Mayer canceled his account and got a new card.
“In today’s technology age, you need to be vigilant,” he said. “I’m always operating under the assumption that people can get information on me that I might not be all that keen about sharing. But it’s a reality of being in business and being on social media. I don’t blame Target. It could easily have happened at Best Buy or another retailer.”
Catherine Krzyzanowski, who was shopping for baby items at a Target in St. Louis Park on Friday, said she wasn’t too worried that her personal information would be compromised. She and her husband both have Target debit cards and don’t plan to cancel them.
“Target said they’d protect consumers, and Target is a good company,” said Krzyzanowski of Golden Valley. “We check our accounts often enough. We feel like if anything showed up they would take care of it.”
For Cara Howe of Edina, the latest bad news from Target moved her to call her bank and cancel her credit cards.
“It won’t affect my shopping at Target,” she said, “but this was the last straw. We’ve been checking our accounts, but this can go on for years. It’s just too much.”
Staff writer Thomas Lee contributed to this report.