Target provided some guidance on its fourth quarter earnings on Friday and, not incidentally, dropped another bombshell in the long-running story about the November data breach that exposed credit card information on some 40 million customers.
It turns out that the credit card numbers were just the tip of a much larger iceberg. The box store retailer now claims that its investigation of that incident revealed that data on around 70 million customers was exposed, including e-mail addresses, phone numbers, mailing addresses and more.
In a statement, Target said that much of the stolen data was “partial in nature,” but that it will reach out to customers whose e-mail addresses were stolen to warn them about potential fraud, including “phishing” e-mails that purport to come from Target.
“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” said Gregg Steinhafel, Target’s chairman, president and chief executive officer in a statement. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”
Target said its customers will not be liable for the cost of any fraudulent charges arising from the breach. The retailer is also offering one year of free credit monitoring and identity theft protection to all guests who shopped our U.S. stores, according to the statement.
Target first acknowledged the breach of its corporate network in December after evidence of the breach turned up on underground marketplaces for stolen credit card information. That led to reports of fraudulent purchases using the stolen credit cards.
Subsequent revelations have revealed a security incident even more serious than first believed. A week after it initially disclosed the breach on December 19, Target admitted that encrypted debit card PIN information was taken as part of the hack.
The company was also at a loss to explain how zip code information associated with credit cards was also for sale on underground forums. That information can make it easier for fraudster to evade fraud detection systems used by online retailers, but wouldn’t be captured by point of sale systems – an initial focus of speculation. The most recent revelation suggests how attackers were able to combine credit card data with other cardholder information.