The Target data breach disclosed in December was even worse than previously thought, and now also involves a huge database of customer contact information, the company announced today (Jan. 10).
"At this time," read a statement posted on the nationwide retailer's website, "the [company's] investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals."
Target later confirmed to DataBreaches.net and The New York Times that those 70 million individuals were at least partly separate from the owners of 40 million credit and debit cards whose theft was announced in mid-December. The initial breach is thought to have occurred Nov. 28.
Although there is likely to be substantial overlap between the two groups, the total number of affected persons could theoretically reach 110 million, or more than one-third of the population of the United States.
"I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this," Target Chairman, President and Chief Executive Officer Gregg Steinhafel said in a statement. "I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team."
How credit-card and personal-information breaches differ
The two sets of stolen data, despite being similarly massive, are quite different in character and would be used by criminals in different ways. Stolen credit cards must be used almost immediately, before banks and other financial institutions block their use; the damages can be substantial but short-lived, and the end consumer is rarely on the hook for fraudulent charges.
Personally identifying information of the sort stolen in the second set, however, can lie dormant for years until a criminal decides to use it to steal a stranger's identity.
Credit-card fraud "is quite easy for the consumer to resolve," pointed out Brian Krebs, the security blogger who broke the news of the initial Target data breach, in a new posting today. "Identity theft, on the other hand, generally involves the creation of new or synthetic lines of credit in the consumer's name, which can take many years and cost thousands of dollars to resolve."
To that end, Target is prepared to spend a lot of money making good with its customers.
"Target is offering one year of free credit monitoring and identity theft protection to all guests who shopped our U.S. stores," the company said today.
Target promised to reveal more details next week about that credit-monitoring program adding that persons who think they might be affected would have three months to enroll.
Target's data breach could still get worse
However, Target still has not revealed how either set of data was stolen, how the intruders got into both Target's payment system and its database of customer contact information, and whether more data sets might be affected.
"This disclosure indicated that the breach happened deeper in the network than originally thought," said Lamar Bailey, director of security research and development at Portland, Ore., security company Tripwire. "As is often the case, we may not have the complete story yet."
"These attackers had weeks to move around within the Target network," said Tripwire security researcher Ken Westin. "It would be safe to assume their entire network was compromised as a result."
Some financial institutions, JP Morgan Chase among them, took the extraordinary step over the holidays of sending new debit and credit cards to customers who may have been affected by the Target data breach.
Target has created Web pages to keep its customers informed, including a FAQ page with a substantial section on how to avoid phishing and social-engineering scams, and a more general Target data-breach landing page linking to various internal pages dealing with the issue.
Right on cue, a blast of spam postings hit Twitter this afternoon, all with the same message: "Target customers hacked credit cards posted, check here to see if you're listed." Web users who clicked on the included link were redirected to a website in China.