Target says data breach bigger than previously thought

Officials at Target are apologizing to their customers for the second time in a few weeks after the retailer revealed the same group of hackers that stole 40 million credit card numbers also pulled off another, much larger theft

Target security breach much worse than first reported 02:09

The revelations about Target's (TGT) data breach continue to get worse, with the retailer now estimating that at least 70 million customers have been impacted, almost twice as many as the 40 million it had earlier disclosed. And it may turn out even more people were affected.

Target said that its forensics investigation has found that "certain guest information -- separate from the payment card data previously disclosed -- was taken during the data breach."

The stolen information includes names, mailing addresses, phone numbers and email addresses for as many as 70 million people, the company said in a statement issued Friday. The company said much of the data is "partial in nature," and will contact customers for whom Target has an email address.

A passer-by walks near an entrance to a Target retail store in Watertown, Mass. Steven Senne, AP

There's likely some overlap with the 40 million customers affected by the credit- and debit-card breach, although its extent isn't yet clear, Target spokeswoman Molly Snyder told CBS MoneyWatch. While the data was stolen during the Nov. 27-Dec. 15 time period, when the credit card theft happened, the personal information stolen could be from customers who shopped at Target prior to that time period, she notes.

The customer data was stolen from systems beyond point of sale, she added. That means customers who emailed Target with questions or bought via the Internet, for instance, may be impacted, although Snyder declined to comment on the exact methods of data collection.

"You now can receive e-mails that will look a lot like an e-mail from Target or an e-mail from your bank that will lead you to a website that will ask for your log-n credentials including your password. And those sites could potentially be from he hackers who stole your e-mail address," said Yaron Samid, who owns a fraud protection company.

In the wake of the newest revelations, the attorney generals of New York and Massachusetts are asking for more information from the retailer. In a statement provided to CBS MoneyWatch, New York attorney general Eric Schneiderman called the latest news "deeply troubling."

Target's woes are now extending to its financial results, with the company warning that sales have been impacted by the data breach as fewer shoppers patronized its stores after the revelation. It warned that fourth-quarter revenue likely declined by 2.5 percent, as sales were "meaningfully weaker-than-expected" after the theft was announced.

"I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this," Target chief executive Gregg Steinhafel said in the statement. "I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team."

That's probably providing little peace of mind to Target customers, many of whom have already expressed frustration at what they've seen as a poor response to the data theft.

Part of the problem for Target is that it released information about the data theft in dribs and drabs. While it first said no PIN data was compromised during the theft, the retailer later said encrypted PIN numbers were actually stolen during the breach.

With the latest revelation about the widening scope of the breach, customers expressed more anger toward Target via its Facebook page.

"Now we hear our names and email address too!! You have been hiding info from the start on this to get past Christmas. I will NEVER shop at Target again!!" one customer wrote on the Facebook page.

Some Target customers reacted with outrage, but Laura Downs of Arlington, Virginia told CBS News she was taking the news in stride.

"I don't think it's necessarily just going to be Target. I think this is just a sign of the times as the criminals out there get more sophisticated."

Investors are also likely to feel burned. Along with the warning on weaker sales, Target lowered its fourth-quarter earnings outlook to $1.20 to $1.30 per share, compared with previous guidance of $1.50 to $1.60 per share.

As for the breach's costs to Target, the company said it was unable to provide an estimate. The impact will likely include reimbursements of credit-card fraud, card re-issuance costs and litigation costs, among many other items.

Shoppers who are concerned they might have been impacted should be aware of potential scams, such as strangers asking them for personal information, which Snyder says Target would not do. Target will also provide credit monitoring for any Target customer.

Target is also planning to close eight stores in May, after "careful consideration of each location's financial performance." They are stores located in West Dundee, Ill.; Las Vegas, Nev.; North Las Vegas, Nev.; Duluth, Ga.; Memphis, Tenn.; Orange Park, Fla.; Middletown, Ohio; and Trotwood, Ohio.

But the bottom line for many Target customers will be a continued feeling of concern about the scope of the breach, given that the latest news that the theft was even worse than first suspected.

Aimee Picchi

Aimee Picchi is the associate managing editor for CBS MoneyWatch, where she covers business and personal finance. She previously worked at Bloomberg News and has written for national news outlets including USA Today and Consumer Reports.

Twitter

More from CBS News