Club Benefits
You are now subscribed
Your newsletter sign-up was successful
Want to add more newsletters?
Daily (Mon-Sun)
Tom's Guide Daily
Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.
Weekly on Thursday
Tom's AI Guide
Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!
Weekly on Friday
Tom's iGuide
Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.
Weekly on Monday
Tom's Streaming Guide
Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.
Join the club
Get full access to premium articles, exclusive features and a growing list of member rewards.
The Target data breach disclosed in December was even worse than previously thought, and now also involves a huge database of customer contact information, the company announced today (Jan. 10).
"At this time," read a statement posted on the nationwide retailer's website, "the [company's] investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals."
MORE: How to Survive a Data Breach
Target later confirmed to DataBreaches.net and The New York Times that those 70 million individuals were at least partly separate from the owners of 40 million credit and debit cards whose theft was announced in mid-December. The initial breach is thought to have occurred Nov. 28.
Although there is likely to be substantial overlap between the two groups, the total number of affected persons could theoretically reach 110 million, or more than one-third of the population of the United States.
"I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this," Target Chairman, President and Chief Executive Officer Gregg Steinhafel said in a statement. "I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team."
How credit-card and personal-information breaches differ
The two sets of stolen data, despite being similarly massive, are quite different in character and would be used by criminals in different ways. Stolen credit cards must be used almost immediately, before banks and other financial institutions block their use; the damages can be substantial but short-lived, and the end consumer is rarely on the hook for fraudulent charges.
Personally identifying information of the sort stolen in the second set, however, can lie dormant for years until a criminal decides to use it to steal a stranger's identity.
Credit-card fraud "is quite easy for the consumer to resolve," pointed out Brian Krebs, the security blogger who broke the news of the initial Target data breach, in a new posting today. "Identity theft, on the other hand, generally involves the creation of new or synthetic lines of credit in the consumer's name, which can take many years and cost thousands of dollars to resolve."
To that end, Target is prepared to spend a lot of money making good with its customers.
"Target is offering one year of free credit monitoring and identity theft protection to all guests who shopped our U.S. stores," the company said today.
Target promised to reveal more details next week about that credit-monitoring program adding that persons who think they might be affected would have three months to enroll.
Target's data breach could still get worse
However, Target still has not revealed how either set of data was stolen, how the intruders got into both Target's payment system and its database of customer contact information, and whether more data sets might be affected.
"This disclosure indicated that the breach happened deeper in the network than originally thought," said Lamar Bailey, director of security research and development at Portland, Ore., security company Tripwire. "As is often the case, we may not have the complete story yet."
"These attackers had weeks to move around within the Target network," said Tripwire security researcher Ken Westin. "It would be safe to assume their entire network was compromised as a result."
Some financial institutions, JP Morgan Chase among them, took the extraordinary step over the holidays of sending new debit and credit cards to customers who may have been affected by the Target data breach.
Target has created Web pages to keep its customers informed, including a FAQ page with a substantial section on how to avoid phishing and social-engineering scams, and a more general Target data-breach landing page linking to various internal pages dealing with the issue.
Right on cue, a blast of spam postings hit Twitter this afternoon, all with the same message: "Target customers hacked credit cards posted, check here to see if you're listed." Web users who clicked on the included link were redirected to a website in China.
Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.
