On Friday, Target announced that data breach during the holiday shopping season was far bigger than initially thought, as state prosecutors announced a nationwide probe into the second-biggest retail cyber attack on record.
Last month Target Corp. disclosed that about 40 million credit and debit cards may have been affected by a data breach that happened between Nov. 27 and Dec. 15 — just as the holiday shopping season was getting into gear. However, the investigation has found that criminals, actually, took non-credit card related data for some 70 million shoppers who could have made purchases at Target stores outside the late Nov. to mid-Dec. timeframe.
“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” Gregg Steinhafel, chairman, president and CEO of Target said in the release. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”
The company is working with the Secret Service and the Department of Justice to determine who was behind the attack. Spokesmen at the Secret Service and the Justice Department declined to comment on the investigation.
Attorneys general from New York, Connecticut, Massachusetts, and Minnesota said they were joining a nationwide probe into the security breach. A source familiar with the joint probe said more than 30 states were involved.
“A breach of this magnitude is extremely disconcerting and we are participating in a multi-state investigation to discover the circumstances that led to this breach,” said Massachusetts Attorney General Martha Coakley.
As Reuters reports, security experts think that the stolen payment card data could be used to fabricate false magnetic strip credit cards. And the personal information could be sold on underground exchanges for use in email “phishing” campaigns, aimed at persuading victims to hand over even more sensitive information, such as bank account numbers.
The company said it doesn’t know how many customers have found fraudulent charges on their credit or debit cards, but individual stories and lawsuits are beginning to crop up across the country.
The company said customers won’t be liable for the cost of any fraudulent charges that stemmed from the breach. Target said it will try to contact customers it has email addresses for to provide tips on how to safeguard against consumer scams. The company said it won’t ask customers for any personal information during its email communications.
It’s also offering a year of free credit monitoring and identity theft protection to customers that shopped at its stores. Individuals will have three months to enroll in the program. Target said it will provide more details on that next week, reports the Guardian
The company also announced that its fourth quarter results have been hurt by the breach. Target now expects fourth-quarter earnings per share of $1.20 to $1.30, compared to the previous estimate of $1.50 to $1.60.
The theft from Target’s databases is still the second largest data breach on record, rivalling an incident uncovered in 2007 that saw more than 90 million credit card accounts pilfered from TJX Cos. Inc.