Target on Friday announced that an ongoing digital forensic investigation into its recent data breach has found that personal information relating to 70 million customers was stolen.
"As part of Target's ongoing forensic investigation, it has been determined that certain guest information -- separate from the payment card data previously disclosed -- was taken during the data breach," Target said in a statement, continuing the company's marketing-spin habit of labeling customers as "guests."
"At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals," said Target. "This theft is not a new breach, but was uncovered as part of the ongoing investigation."
Target's statement doesn't make clear, however, if the 40 million previously affected cardholders are a subset of the new 70 million figure or if the revised breach count means that up to 110 million people were affected. A Target spokeswoman didn't immediately respond to an emailed request for clarification.
[For more on the Target breach, see Target Breach: 10 Facts.]
The growing number of people affected by the breach complicates efforts by Target CEO Gregg Steinhafel to rebuild trust with the company's customers. That said, the company did earn plaudits from some identity theft experts for quickly warning customers about the breach once it was discovered.
"I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this," Steinhafel said Friday in a statement. "I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team."
Target has yet to offer any details about how the information was compromised, and whether it involved an inside attack or an external hacker.
Target first publicly detailed the data breach on December 19, 2013, saying that during the 19-day heist, which began in late November, there was "unauthorized access" to 40 million credit and debit cards. But Target also warned that a related investigation was only in its early stages, meaning that the number of people affected by the breach, or types of data stolen, might be revised.
Some security experts said a surge of stolen card data began flooding cybercrime sites in early December, suggesting that many Target customers -- as well as users of the store's own REDcard debit and credit card accounts -- were at immediate risk of fraud. In fact, related fraud may have been what lead credit card issuers to spot signs of the breach and trace it back to Target.
Beyond fraud, now add phishing attacks to the list of concerns facing Target's data breach victims. Indeed, based on past attacks, it's a safe bet that anyone in possession of the up to 70 million Target customers' stolen names and email addresses will begin sending fake "security warnings," breach updates, or related emails to already worried Target customers. If you receive such emails, don't open any links in them -- or in any financial-related emails, for that matter.
The data breach, which Target revealed during the 2013 holiday shopping season, has taken a bite out of the company's revenues. The full extent of the financial fallout was hinted at Friday, when the company warned investors that post-breach sales had declined by between 2% and 6%. Target also said that it will close eight US Target stores in May.
Despite that fourth-quarter hit, post-breach sales have shown improvement in the last several days, Target said. But the company isn't off the hook yet financially. An update on fourth-quarter outlook released Friday by Target warned that the retailer may face significant related long-term costs.
"At this time, the company is not able to estimate the costs, or a range of costs, related to the data breach," Target said. "Costs may include liabilities to payment card networks for reimbursements of credit card fraud and card reissuance costs, liabilities related to REDcard fraud and card re-issuance, liabilities from civil litigation, governmental investigations and enforcement proceedings, expenses for legal, investigative and consulting fees, and incremental expenses and capital investments for remediation activities."
On the cost front, Target will offer a year of free credit monitoring and identity theft protection to any customer that shopped in its US stores, although the company has yet to specify the time period. Target will allow customers to enroll in the monitoring program beginning next week and for up to three months after it launches.
"We know this incident has been a confusing and stressful time for our guests, and for that we apologize," Scott Kennedy, president of Target's finance and retail services, said Friday in a statement. "We hope this offer provides them with additional peace of mind."
The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)