Target Corp. on Friday said personal data on 70 million customers were compromised in a separate theft during the same data breach it disclosed last month that exposed up to 40 million credit and debit card accounts of U.S. shoppers. That could bring the total number of customers affected up to 110 million, but it’s not clear how much the updated figure overlaps with the older one.
Also, a leading security analyst tells Digital Transactions News that the intruders who invaded Target's network have likely planted malware in the systems of a number of other retailers at the same time.
In its new notice, Target mentions only non-card data being stolen in the second theft. “As part of Target’s ongoing forensic investigation, it has been determined that certain guest information—separate from the payment card data previously disclosed—was taken during the data breach,” Target's new statement says. “This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.”
A spokesperson for the Minneapolis-based retailer tells Digital Transactions News that he did not have further information regarding the commonalities of customers affected by the two distinct thefts. A different Target spokesperson told the online publication Re/code that the total number of customers affected is likely to be less than 110 million, but also that the theft of personal information was not limited to customers who had shopped at Target in the pre-holiday weeks, as Target first said.
The changing narrative doesn’t surprise Chris Bucolo, senior manager of security consulting at ControlScan Inc., an Atlanta-based data-security services provider. “They may have gotten a preliminary report from the auditor,” he says. “The full extent of the breaches is often larger and not determined until later.” Target has hired the forensics unit of Verizon Communications Inc. to investigate the breach, which is also being probed by the U.S. Secret Service, the Department of Justice, and state attorneys general.
Hackers typically first try to find and export payment card data quickly once they break into a company’s computer system, Bucolo says. But if they’re not worried about immediate detection, they may snoop around for other personal data they can use or sell in addition to card information for purposes of identity theft. “The more data you get, the better, if you’re in this game,” Bucolo says.
Target’s latest disclosure suggests that hackers did get into a database or databases separate from the card files, according to Bucolo. Such databases seemingly would be most useful for customer-loyalty purposes, perhaps collected as part of Target’s proprietary REDcard program or other marketing-related initiatives.
“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” Gregg Steinhafel, Target’s chairman, president, and chief executive, said in a statement. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”
Also on Friday, Target for the first time hinted at the financial impact of the breach. In its U.S. segment, Target now expects adjusted earnings for its fourth quarter of fiscal 2013 to come in at $1.20 to $1.30 per share, compared with prior guidance of $1.50 to $1.60. Target, which expects same-store sales for the full quarter to decline 2.5% year-over-year, said fourth-quarter sales had been stronger than expected before it confirmed the breach Dec. 19, a day after the KrebsOnSecurity Web site broke the story. Then it encountered “meaningfully weaker-than-expected sales since the announcement, which have shown improvement in the last several days,” the company said. For the rest of the quarter, sales will be down 2% to 6%, Target said.
Target offered a 10% discount to customers shortly after it disclosed the breach. The retailer also has confirmed that encrypted PINs on debit cards were among the data stolen.
Analyst Avivah Litan, who researches security technology for Stamford, Conn.-based Gartner Inc., says, “This is a much more widespread breach than people understand.” She adds that highly placed executives in the security industry tell her that Target, which has confirmed that malware was installed on its system, may be just one victim in a broader attack. “There are other retailers affected,” she says. “They [hackers] were testing their malware with different retailers. We’re scratching the surface.”