The size and scope of the consumer data heist from Target Corp. last month is much greater than previously thought, with up to 110 million people at risk by the exposure of credit and debit card numbers, as well as mailing addresses, e-mails and phone numbers, the company said Friday.
The revelation means that the data breach may be the largest ever involving a U.S. retailer and could lead to more complex types of fraud and identity theft for many of those affected.
"It's big, it's ugly, and it's not fun for anyone but the bad guys," said Jacob Ansari, a data forensics investigator at 403 Labs LLC in Brookfield, Wis.
The revelation also means greater risks and challenges for Minneapolis-based Target, which faces federal and state investigations, customer backlash and a growing number of breach-related lawsuits
Attorneys general from New York, Connecticut and Massachusetts said they are joining a nationwide probe into the security breach. Already, the Secret Service and the Justice Department are investigating along with Target and a third-party forensics team.
"A breach of this magnitude is extremely disconcerting, and we are participating in a multistate investigation to discover the circumstances that led to this breach," said Massachusetts Attorney General Martha Coakley.
Target, the nation's No. 2 retailer, said customers would have "zero liability" from any damage they suffer due to the theft of its data. It offered to provide free credit monitoring and identity theft protection for customers for a year, with details to come next week.
"I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this," Gregg Steinhafel, Target's chairman and chief executive officer, said in a statement.