The data breach at Target Corp. over the holiday shopping season was far bigger than initially thought, the U.S. company said Friday, as state prosecutors announced a nationwide probe into the second-biggest retail cyber attack on record.
Target Corp. said Friday that the thieves who accessed its data system from late November through mid-December also obtained personal information on 70 million customers, an exposure of data that’s well beyond the financial information on 40 million people it initially reported.
The company said its ongoing investigation of the breach revealed that names, mailing addresses, phone numbers and email addresses were exposed, at least in partial form, to the hackers who accessed its data system.
The company also said it will close eight poorly performing stores in its 1,800-unit chain, the first time in recent memory it has shut down such a large number at once. Target is closing two stores in Nevada, two in Ohio, and one each in Florida, Georgia, Illinois and Tennessee.
In announcing the new details, Target said, “The theft is not a new breach.” But spokeswoman Molly Snyder later said the possibility exists that the personal information exposure involves different people than the financial one.
If so, as many as 110 million people had data stolen from Target’s system from Nov. 27 to Dec. 15. The number is probably smaller, however, since there is likely overlap in the two groups.
Still, Snyder noted that some of the victims did not shop at Target stores during the period of the breach between Nov. 27 and Dec. 15, and their personal information was stolen from a database.
“I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this,” Target Chief Executive Gregg Steinhafel said Friday in the statement.
Attorneys general from New York, Connecticut, Massachusetts, and Minnesota said they were joining a nationwide probe into the security breach. A source familiar with the joint probe said more than 30 states were involved.
“A breach of this magnitude is extremely disconcerting, and we are participating in a multi-state investigation to discover the circumstances that led to this breach,” said Massachusetts Attorney General Martha Coakley.
Security experts said the stolen payment card data could be used to fabricate false magnetic strip credit cards. And the personal information could be sold on underground exchanges for use in email “phishing” campaigns, aimed at persuading victims to hand over even more sensitive information, such as bank account numbers.
“I think they still have no idea how big this is,” said David Kennedy, a former U.S. Marine Corps cyber-intelligence analyst who runs his own consulting firm, TrustedSec LLC.
Target lowered its fourth-quarter profit forecast, in part due to weaker-than-expected sales since reports of the cyber-attack emerged in mid-December. Target shares closed down just over 1 percent to $62.62, hovering near a year-low.
The largest known breach at a U.S. retailer, uncovered in 2007, was at TJX Cos. Inc., where more than 90 million credit cards were stolen over about 18 months.
FRAUD REPORTS GROWING
Reports of fraudulent card charges have been growing since the Target breach was disclosed, said an executive at one major card issuer who asked not to be identified.
The full magnitude of the damage will not likely be known until later in January, when customers receive and examine their monthly statements and call their banks, the executive said. He added that, in past cases, it has taken 30 to 45 days for the vast majority of bad charges to surface.
Target and credit card issuers have said customers will have zero liability for the cost of any fraudulent charges.
Harlan Loeb, global chairman of the crisis and risk management practice at Edelman, said Target should have been more proactive in communicating with its customers. He thinks Target will have a tougher task containing the situation than TJX did.
“The game has changed so dramatically since 2007,” Loeb said, citing “the dramatic escalation of information channels and the sophistication of hackers” since then.
“The one thing that should be part of any crisis plan is the specter that you might have to be in communication with hundreds of thousands of customers instantly,” Loeb said. “There was an element of that missing” in Target’s case.
According to a Reuters/Ipsos poll, 40 percent of people who shopped at Target during the period of the data breach had not been notified about the incident. Thirty-one percent said they had been notified by Target, and 28 percent said they had been notified by their bank or credit card company. The results represent 640 surveys conducted from Jan. 2 to Jan. 10 with a margin of error of plus or minus 4.5 percentage points.
In the wake of the Target breach, Senate Judiciary Committee Chairman Patrick Leahy introduced Wednesday a new version of a 2005 bill that seeks to improve how companies protect consumer data from cyber thieves.
It would set criminal penalties for intentional or willful concealing of a personal data breach that causes economic damage to consumers, and ensure that conspiring or attempting to commit computer fraud would face the same penalties as completed offenses.
TOTAL COST UNKNOWN
On Friday, Target cut its fourth-quarter adjusted earnings forecast for U.S. operations to between $1.20 and $1.30 per share from $1.50 to $1.60. The Minneapolis-based company also forecast a 2.5 percent decline in fourth-quarter same-store sales. It had forecast flat sales.
Target expects full-year earnings per share to include charges related to the data breach, but said it could not estimate the costs.The Minneapolis Star Tribune contributed to this report.