The massive data breach at Target over the holiday season is potentially much worse than the retailer first reported — as many as 110 million people may have had their identity and financial information compromised, the retailer says.
It remains unclear just how many individuals are affected and how. The company's ongoing investigation found that up to 70 million people had personal information stolen in the breach; in December, Target disclosed that 40 million accounts had been hacked.
The amount of overlap between the two figures — 70 million and 40 million — is uncertain. Target averages 30 million customers a week.
The retailer said Friday that "the stolen information includes names, mailing addresses, phone numbers or e-mail addresses for up to 70 million individuals."
"I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this," Target CEO Gregg Steinhafel said in a press release.
Target previously said that data thieves stole encrypted PIN data, customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on the back of cards used at Target between Nov. 27 and Dec. 15. The breach occurred after cybercriminals forced their way into Target's data system.
There may be overlap in customers who had both personal identification information stolen as well as credit and debit card data, but Target doesn't know to what extent, says spokeswoman Molly Snyder.
News of the additional stolen data brings the total number of potential customers affected up to 110 million. It also may increase the threat of identity theft, says Greg McBride, senior financial analyst at Bankrate.com.
"For somebody to actually go out and open credit in your name, it's pretty tough to do if they don't have your Social (Security number)," he says. "But if they have your Social and have all this other stuff too, it compounds the problem."
Customers involved are also at greater risk of being targeted by e-mail scams, he says.
To give "peace of mind," the Minneapolis-based retailer will offer free credit monitoring and identity theft protection to all its customers, with an opportunity to enroll over the next three months.
Target shares ended Friday down 1.14% to $62.62.
For Target customers who had their information stolen, the incident has meant hours spent speaking with banking customer service representatives, having to close accounts, be issued new credit and debit cards — and updating online accounts with the new information — and file identity theft reports.
Karen Raper, 46, from Lula, Ga., spent two hours talking to her bank on Christmas Eve after it notified her of suspicious activity showing up on her account from Ohio. Raper had shopped at Target on Black Friday, buying a camera for her daughter. Fifth Third Bank closed her account, will refund her the $300 that was charged and issue her a new card. But Raper says she's reluctant to head back to Target.
Kim Thompson, 39, says the situation makes her "angry, frustrated and concerned." Thompson, from Memphis, used her debit card to purchase groceries at Target at the beginning of December. She says she'll continue to shop there because it's convenient, but that she'll only use cash.
"This is a lesson to just sort of all of us to be constantly monitoring your accounts for unauthorized transactions," McBride says. "Because you have no liability as long as you report that to your financial institution."
Others are put off by a seeming lack of communication from Target. Those interviewed by USA TODAY say the first time they heard their information was compromised was, in most cases, from their bank, not the retailer.
"If Target does anything, it just seems like I have to either look it up or hear about it secondhand," says Jackie Chavez, 40.
Chavez, from El Paso, shopped at Target on Black Friday and found out after Christmas from her bank that there was suspicious activity on her account.
Target e-mailed customers it thought were affected, and for whom it had e-mail addresses, in the days after the breach was first announced Dec. 19. Snyder says that amounted to "millions of e-mails." It will do the same for the additional customers it's now found to be involved. The company also created a dedicated page on its website for the data breach, including resources about identity theft and credit reports.
The most recent announcement about the breach comes amid news of an unsuccessful holiday season for retailers and follows other disappointments at Target. Target lowered its fourth-quarter guidance Friday, expecting a comparable store sales decline of 2.5%. It previously said sales would be flat.
Target also revealed at the end of December that some gift cards sold during the holidays weren't fully activated, but that it would still honor the faulty cards.
The retailer will close eight stores in May. The stores are in West Dundee, Ill.; Las Vegas; North Las Vegas; Duluth, Ga.; Memphis; Orange Park, Fla.; Middletown, Ohio; and Trotwood, Ohio.
Contributing: Kevin McCoy
Target's new information:
As part of Target's ongoing forensic investigation, it has been determined that certain guest information -- separate from the payment card data previously disclosed -- was taken from Target. This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.
Much of this data is partial in nature, but in cases where Target has an email address, we will attempt to contact affected guests. This communication will be informational, including tips to guard against consumer scams. Target will not ask those guests to provide any personal information as part of that communication. In addition, guests can find the tips at Target.com/databreach, along with updated information in the Data Breach FAQs to help answer questions and provide additional resources.
Guests will have zero liability for the cost of any fraudulent charges arising from the breach. To provide further peace of mind, Target is offering one year of free credit monitoring and identity theft protection to all Target guests who shopped our U.S stores. Guests will have three months to enroll in the program. Additional details will be shared next week.
We remain focused on addressing our guests' and team members' questions and concerns about the data breach. Please continue to check the Data Breach Issues Hub for updates as additional information becomes available.