Target Corp. has disclosed that up to 70 million customers were affected in its recent payment card data breach, a number far greater than the original estimate of 40 million.
The Minneapolis-based retailer initially reported in mid-December that thieves had compromised information on 40 million customers who had used credit or debit cards at physical locations during the first three weeks of the holiday shopping season. Among the data stolen were customers' names, card numbers, expiration dates and card verification value information.
Now, Target's ongoing forensics investigation into the incident has revealed that data on up to 70 million of its customers was compromised during that timeframe. The company emphasized that the newly disclosed information was part of the original breach.
Though the scope of Target's breach has been greatly expanded, the additional data stolen does not seem to be as damaging in nature, with the Fortune 500 retailer describing the information, including names, mailing addresses, email addresses and phone numbers, as "partial in nature."
"I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this," said Target CEO Gregg Steinhafel in a statement. "I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team."
Target has yet to clarify on how much overlap exists between the customers affected in the original announcement and this latest update, but the company will attempt to contact affected customers with email addresses on file to provide advice on avoiding phishing scams.
Joe Ferrara, president and CEO of Wombat Security Technologies Inc., a provider of anti-phishing training and products, said he expects affected customers to receive phishing emails asking for more sensitive information, including account names, passwords, Social Security numbers and credit card information. Criminals may request that victims provide the info via an online form or over the phone.
"Our recommendation to everyone is to contact their credit card company directly using a phone number provided on their bill or from the back of their credit card to make any account changes and not to provide any information like this via email," Ferrara said. "To be safe, these phone calls should be made from a private location where eavesdroppers can't overhear the information that is shared."
Target is offering free credit monitoring and identity theft protection to all customers that shopped in its stores during the breach period. Customers have three months to enroll in a program.
Beyond the update on the data breach, Target also provided initial information on how the high-profile security incident has affected its finances. The retailer noted that it was experiencing "stronger than expected" Q4 sales up until December 19, 2013, the day the breach was announced. Sales declined at that point, but have since rebounded, according to the company. Overall though, Target lowered its Q4 guidance for adjusted EPS from the $1.50 to 1.60 range to $1.20 to 1.30.
Target is still unable to estimate the costs related to the breach, but said the costs may have a "material adverse effect" both for this reporting period and in the future. The retailer has already been hit with dozens of lawsuits across the country, and John Kindervag, vice president and principal analyst at Forrester Research Inc., commented after the original announcement that Target could incur up to $100 million dollars in related charges.