Advertisement

Target reveals more customer data exposed in breach

The theft may be largest ever involving a U.S. retailer

(Matt Gillmer/Matt Gillmer)

The size and scope of the consumer data heist from Target Corp. last month is much greater than previously thought, with up to 110 million people at risk by the exposure of credit and debit card numbers, as well as mailing addresses, e-mails and phone ­numbers, the company said Friday.

The revelation means that the data breach may be the largest ever involving a U.S. retailer and could lead to more complex types of fraud and identity theft for many of those affected.

"It's big, it's ugly, and it's not fun for anyone but the bad guys," said Jacob Ansari, a data forensics investigator at 403 Labs LLC in Brookfield, Wis.

The revelation also means greater risks and challenges for Minneapolis-based ­Target, which faces federal and state investigations, customer backlash and a growing number of breach-related lawsuits

Attorneys general from New York, Connecticut and Massachusetts said they are joining a nationwide probe into the security breach. Already, the Secret Service and the Justice Department are investigating along with Target and a third-party forensics team.

"A breach of this magnitude is extremely disconcerting, and we are participating in a multistate investigation to discover the circumstances that led to this breach," said Massachusetts Attorney General Martha Coakley.

Target, the nation's No. 2 retailer, said customers would have "zero liability" from any damage they suffer due to the theft of its data. It offered to provide free credit monitoring and identity theft protection for customers for a year, with details to come next week.

"I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this," Gregg Steinhafel, Target's chairman and chief executive officer, said in a statement.

Advertisement
Advertisement

Steinhafel scheduled an appearance on CNBC Monday morning, a rare interview for the executive who has led Target since 2008 and his first since the ­company's initial Dec. 19 statement on the data heist. The company on Friday declined a request to make executives available for interviews.

Target executives told investors Friday to expect financial costs related to the breach throughout the year, though they said it was too early to estimate the size of those charges. The company said its sales slumped following the initial announcement of the breach and, as a result, it lowered its fourth-quarter profit outlook by about 20 percent.

Even so, investors hung in with the company. Target shares closed down just 1.1 percent Friday at $62.62, above the $62.15 close on Dec. 19.

The company's troubles are far from over because stolen financial information can ­circulate for a long time, data specialists say, and the costs associated with fixing the problems may expand.

"It sometimes takes months or even years before the stolen card gets used fraudulently," Ansari said. "Usually, there is a lot of horse trading of stolen cards in the criminal underground."

Target's latest announcement marked the second time since the initial revelation that it has disclosed that more data leaked to hackers than was thought. On Dec. 19, the company said that credit and debit card numbers and names of about 40 million customers were obtained. On Dec. 27, it said that customers' PIN numbers also were exposed, but they were encrypted and the information would be of ­limited use.

Advertisement

On Friday, Target said personal information, such as phone numbers, addresses and e-mail addresses, for 70 million people also were exposed. Target spokeswoman Molly Snyder said the company doesn't know how much overlap exists between the original 40 million customers and the additional 70 million, raising the possibility that the data of up to 110 ­million people was taken.

Al Pascual, a security risk analyst at Javelin Strategy & Research in Pleasanton, Calif., said some of the exposed information that Target acknowledged on Friday is already available in other forms online and in public databases, ­notably addresses and phone numbers.

"If criminals wanted it, they could go onto Google and get it anyway," Pascual said. "They don't have a lot of value to criminals in terms of fraud."

Target has said hackers obtained the customer data by burrowing into the company's point-of-sale system and installing malicious software that collected data whenever a customer swiped a payment card at checkout.

After Target first revealed the breach last month, customers swamped the company with phone calls seeking details, while politicians and state prosecutors criticized the company, and the Justice Department launched its investigation. Some banks temporarily imposed limits on the amounts of money that could be withdrawn from accounts that people used to pay the retailer.

Little fraud reported

But so far, relatively little fraud has been reported resulting from the Target breach.

Advertisement
Advertisement

Scott Mayer of Minneapolis suspects his card got caught up in the heist after he bought an iPad at Target's downtown Minneapolis store. His credit card company alerted him after a suspicious charge was made from a Best Buy in ­Seattle. Mayer canceled his account and got a new card.

"In today's technology age, you need to be vigilant," he said. "I'm always operating under the assumption that ­people can get information on me that I might not be all that keen about sharing. But it's a reality of being in business and being on social media. I don't blame Target. It could easily have happened at Best Buy or another retailer."

Catherine Krzyzanowski, who was shopping for baby items at a Target in St. Louis Park on Friday, said she wasn't too worried that her personal information would be compromised. She and her husband both have Target debit cards and don't plan to cancel them.

"Target said they'd protect consumers, and Target is a good company," said Krzyzanowski of Golden Valley. "We check our accounts often enough. We feel like if anything showed up they would take care of it."

For Cara Howe of Edina, the latest bad news from Target moved her to call her bank and cancel her credit cards.

"It won't affect my shopping at Target," she said, "but this was the last straw. We've been checking our accounts, but this can go on for years. It's just too much."

Advertisement
Advertisement

Staff writer Thomas Lee contributed to this report.

crosby@startribune.com • 612-673-7335 mike.hughlett@startribune.com • 612-673-7003 evan.ramstad@startribune.com • 612-673-4241

Exterior signage of the Target Corp. store in Torrance, California, U.S., on Tuesday, August 20, 2013. Target is expected to announce quarterly earnings results on Aug. 21, 2013. Photographer: Patrick T. Fallon/Bloomberg
Target says personal information of customers was taken in the data breach it suffered from late November to mid-December. (Evan Ramstad — Bloomberg/The Minnesota Star Tribune)
FILE - In this Dec. 19, 2013, file photo, a passer-by walks near an entrance to a Target retail store in Watertown, Mass. Target says that personal information ó including phone numbers and email and mailing addresses ó was stolen from as many as 70 million customers in its pre-Christmas data breach. That was substantially more customers than Target had previously said were affected. (AP Photo/Steven Senne, File) ORG XMIT: MIN2014011015142939
FILE - In this Dec. 19, 2013, file photo, a passer-by walks near an entrance to a Target retail store in Watertown, Mass. Target says that personal information ó including phone numbers and email and mailing addresses ó was stolen from as many as 70 million customers in its pre-Christmas data breach. That was substantially more customers than Target had previously said were affected. (AP Photo/Steven Senne, File) ORG XMIT: MIN2014011015142939 (The Minnesota Star Tribune)
Advertisement
about the writers

about the writers

Mike Hughlett

Reporter

Mike Hughlett covers energy and other topics for the Minnesota Star Tribune, where he has worked since 2010. Before that he was a reporter at newspapers in Chicago, St. Paul, New Orleans and Duluth.

See Moreicon

Evan Ramstad

Columnist

Evan Ramstad is a Star Tribune business columnist.

See Moreicon

Jackie Crosby

Reporter

Jackie Crosby is a general assignment business reporter who also writes about workplace issues and aging. She has also covered health care, city government and sports. 

See Moreicon

More from Business

See More
card image

The rise of target-date funds, though criticized as a one-size-fits-all approach, has relieved workers of the task of creating and managing portfolios. The only decision is guesstimating the year of retirement.

573499807
card image
Advertisement
Advertisement

To leave a comment, .

Advertisement