Target: Up to 110 million at risk in data breachTarget Corp. said Friday that the thieves who accessed its data system from late November through mid-December also obtained personal information on 70 million customers, an exposure of data that’s well beyond the financial information on 40 million people it initially reported.
By: Evan Ramstad and Thomas Lee, Minneapolis Star Tribune
MINNEAPOLIS — Target Corp. said Friday that the thieves who accessed its data system from late November through mid-December also obtained personal information on 70 million customers, an exposure of data that’s well beyond the financial information on 40 million people it initially reported.
The company said its ongoing investigation of the breach revealed that names, mailing addresses, phone numbers and email addresses were exposed, at least in partial form, to the hackers who accessed its data system.
The company also said it will close eight poorly performing stores in its 1,800-unit chain, the first time in recent memory it has shut down such a large number at once.
In announcing the new details, Target said, “The theft is not a new breach.” But spokeswoman Molly Snyder later said the possibility exists that the personal information exposure involves different people than the financial one.
If so, as many as 110 million people had data stolen from Target’s system from Nov. 27 to Dec. 15. The number is probably smaller, however, because there probably is overlap in the two groups.
Attorneys general from New York, Connecticut, Massachusetts and Minnesota said they were joining a nationwide probe into the security breach. A source familiar with the joint probe said more than 30 states were involved.
Security experts said the stolen payment card data could be used to fabricate false magnetic strip credit cards. And the personal information could be sold on underground exchanges for use in email “phishing” campaigns, aimed at persuading victims to hand over even more sensitive information, such as bank account numbers.
“I think they still have no idea how big this is,” said David Kennedy, a former U.S. Marine Corps cyber-intelligence analyst who runs his own consulting firm, TrustedSec LLC.
To date, little fraud has been reported related to the breach. But since it was initially announced Dec. 19, Target has twice been forced to acknowledge that more information got out than it thought. On Dec. 27, Target said that customers’ PINs were exposed.
“I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this,” said Gregg Steinhafel, chairman, president and CEO at Target. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”
In addition, the company revealed its own financial impact of the theft for the first time, saying that shoppers turned away from its stores after the incident was revealed on Dec. 19 and it expects lower sales and profits as a result.
Target continues to assure customers they will have no liability for fraudulent charges. The retailer is offering customers free credit monitoring and identity theft protection. It is also warning shoppers to watch out for email, phone and other scams that could be based on stolen information.
Company officials said customers should particularly be wary of requests for Social Security numbers, passwords, user IDs and financial account information, as well as mass emails asking for money.
Although Target has not seen much fraud related to the data theft, company officials won’t say how many such transactions have occurred.
The data breach is one of the largest involving a U.S. corporation. Hackers inserted malicious software onto the point-of-sale terminals where Target customers swiped their credit and debit cards for payment at the end of a shopping excursion.
After it was revealed on Dec. 19, customers swamped the company with phone calls seeking details, politicians criticized the company and the Justice Department launched an investigation. Some banks temporarily imposed limits on the amounts of money that could be withdrawn from accounts that people used to pay Target.
Investors, however, have been less shaken. Target shares have been volatile but traded in a tight range of about $61.50 to $63.50 per share.
Although the data theft is probably the biggest headache facing Target, it is not the only one.
Target has worked hard to convince customers to use its REDcard debit and credit cards, which provide incentives for the retailer’s best customers to spend more. The cards offer 5 percent discounts on most purchases and, of late, have accounted for about a fifth of Target’s sales.
The data breach could hurt the popularity of REDcards, Morningstar retail analyst Ken Perkins said.
“That opportunity could be lost to some extent if fewer people are willing to trust Target with their information on a REDcard,” he said.
In its discussion of the financial impact, Target said that sales turned “meaningfully weaker” after the incident was revealed in mid-December. It lowered its outlook for fourth-quarter comparable sales revenue to a drop of 2.5 percent. It previously thought such sales would be unchanged from the year-earlier period.
Target said that it now expects its fourth-quarter profit to be in a range of $1.20 to $1.30 a share, down from its previous expectation of $1.50 to $1.60 a share.
Executives said the company’s sales were doing better than they expected before the data breach was revealed on Dec. 19.
In addition to the potential costs of the data breach, Target said its fourth-quarter performance would be weakened by expenses related to closing eight stores, some real estate costs and some costs related to its massive expansion in the Canadian market this year, where it opened more than 100 stores.
Target is closing two stores in Nevada, two in Ohio, and one each in Florida, Georgia, Illinois and Tennessee.
Minnesota Public Radio and Reuters contributed to this report.