Target data breach much worse, affected 70 million customers
Target said a massive payment card data breach during the holiday shopping season affected up to 70 million people, far more than previously estimated.
A passer-by walks near an entrance to a Target retail store in Watertown, Mass. Target says that personal information — including phone numbers and email and mailing addresses — was stolen from as many as 70 million customers in its pre-Christmas data breach. That was substantially more customers than Target had previously said were affected.
Steven Senne/AP/File
Target Corp said up to 70 million customers were hit by the theft of data over the holiday shopping season, a far more serious breach than previously disclosed.
Shares of the company, which also slashed its fourth-quarter earnings forecast, fell slightly in early trading on Friday.
The third-largest U.S. retailer said in December that hackers had stolen data from up to 40 million credit and debit cards between Nov. 27 and Dec. 15, the second-largest such breach reported by a U.S. retailer.
The news raised concerns that Target had not yet fully grappled with the extent of the data breach.
"I think they still have no idea how big this is," said David Kennedy, a former U.S. Marine Corps cyber-intelligence analyst who runs his own consulting firm, TrustedSec LLC.
"This is going to end up being much larger than 70 million and end up being the largest retail breach in history," said Kennedy, who has experience investigating retail breaches.
The largest known breach at a U.S. retailer, uncovered in 2007 at TJX Cos Inc, led to the theft of data from more than 90 million credit cards over about 18 months.
Target said on Friday an ongoing forensic investigation showed that certain customer information in addition to the originally reported payment card data had been stolen.
The investigation showed that stolen information included names, mailing addresses, phone numbers and email addresses of customers in addition to those who swiped their cards during the 19-day breach period, Targetspokeswoman Molly Snyder said.
Target's disclosure on Friday was the first time it revealed the number of customers affected. Previously it has talked about the number of credit and debit cards affected.
Target said customers will have zero liability for the cost of any fraudulent charges.
"I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this," Chief Executive Gregg Steinhafel said in a statement.
The company cut on Friday its fourth-quarter adjusted earnings per share forecast for its U.S. operations to $1.20 to $1.30 from $1.50 to $1.60.
The Minneapolis-based company also forecast a 2.5 percent decline in fourth-quarter same-store sales. It had previously forecast flat sales.
Target expects its full-year earnings per share to include charges related to the data breach, but said it could not provide an estimate of the costs.
Target shares were little changed at $63.25.