Target (TGT) said Friday the number of customers affected by its holiday shopping data breach surged by as much 70 million more, from the originally reported 40 million, and the range of information broadened to include not just customer card information, but ‘guest information’ as well.
The retailer reassured its customers this latest development is not part of a new breach, but was uncovered as part on the ongoing investigation. In addition to the already-known customer names, card numbers, expiration dates and the CVV three-digit security codes that were stolen, Target said the new information included in the breach now includes names, mailing address, phone numbers and email address for as many as 70 million customers, though there may be some overlap between the 40 million first reported and the additional 70 million.
The number of payment cards affected by the breach still stands at about 40 million, meaning the new figure includes even people who didn’t swipe cards. The non-card related information actually came from a completely different access point, a Target spokeswoman confirmed to FOX Business. That hole has since been sealed, she said. However, she wouldn't comment on which system it was, citing the "ongoing investigation."
"I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this," said Gregg Steinhafel, Target’s chairman, president and chief executive officer, in a statement. "I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team."
The retailer said its customers will not be on the hook for any fraudulent charges that result from the data breach, and it will offer one year of free credit monitoring and identity theft protection to all guests who shopped in the retailer’s U.S. stores. Those who wish to take part in the program have three months to enroll. Target said it will release details for enrollment next week, and reminded shoppers who were affected to visit www.target.com/databreach for additional information and resources.
Target ran into a problem, Eric Chiu, president and co-founder of cloud control company HyTrust said, where point-of-sale and customer database systems connect to networks. Chiu said hackers can access that point and sneak undetected inside a corporate network. Ominously, he also added because of the density of information available on today’s networks, hackers don’t just get some data, they get a lot of it.
“Companies need to take an /inside-out’ approach to security to ensure that access to critical systems and data is protected from the inside through fine-grained access controls, including the NSA’s new two-person rule and the role-based monitoring. And ensure all sensitive information is encrypted as well. This is the only way to protect against insider threats, which are the number one cause of breaches,” he said.
Nathaniel Couper-Noles, principal security consultant at security and risk management company Neohapsis, said contingency planning is about identifying what could go wrong and figuring out what the results could be because the consequences are sometimes surprising.
“Target is not the first company to have restated the scope and impact of a breach,” he said. “Restatements, like Target’s as well as Adobe before them, demonstrate how hard it can be to put the pieces back together after they’ve fallen apart.”
Target confirmed in mid-December unauthorized access to its in-store customers’ credit and debit card data between Nov. 27 and December 15 – the busiest shopping time of the year. At that point, the retailer said 40 million of its customers were affected. The breach is one of the biggest in history against a U.S. store.
Minneapolis-based Target has 1,797 retail locations in the U.S. with 124 stores in Canada, but also announced plans to shutter eight of its domestic locations in Nevada, Georgia, Tennessee, Ohio, and Florida in May.
Dimmer Profit Outlook
In addition to the newest breach developments, Target on Friday cut its fourth quarter adjusted profit outlook to $1.20–$1.30 a share from $1.50 - $1.60. Wall Street analysts expected 4Q EPS to come in at $1.24, according to a Thomson Reuters poll. It also noted it foresees a 2.5% decline in fourth-quarter comparable sales, versus previous guidance for flat comp sales.
In its updated guidance, the company said it expects stronger-than-expected 4Q sales prior to the data breech, and a 2% - 6% decline in comp sales for the rest of the quarter.
John Mulligan, executive vice president and chief financial officer at Target, said though the top priority is taking care of the company’s customers, it’s also focused on numbers.
“We remain keenly focused on driving profitable top-line growth and investing our resources to deliver superior financial results over time. While we are disappointed in our 2013 performance, we continue to manage our business with great discipline and leverage our expense optimization efforts to reinvest in multichannel initiatives that generate long-term value for our shareholders," he said.
Target shares eased 1% Friday afternoon.