NEW YORK/BOSTON, (Reuters) – The data breach at Target Corp over the holiday shopping season was far bigger than initially thought, the U.S. company said yesterday, as state prosecutors announced a nationwide probe into the second-biggest retail cyber attack on record.
Target said an investigation has found that the hackers stole the personal information of at least 70 million customers, including names, mailing addresses, telephone numbers and email addresses. Previously, the No.3 U.S. retailer said the hackers stole data from 40 million credit and debit cards.
The two sets of numbers likely contained some overlap, but the extent was not clear, according to Target spokeswoman Molly Snyder. She also noted that some of the victims did not shop at Target stores during the period of the breach between Nov. 27 and Dec. 15, and their personal information was stolen from a database.
“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” Target Chief Executive Gregg Steinhafel said in the statement on Friday.
Attorneys general from New York, Connecticut, Massachusetts, and Minnesota said they were joining a nationwide probe into the security breach. A source familiar with the joint probe said more than 30 states were involved.
“A breach of this magnitude is extremely disconcerting and we are participating in a multi-state investigation to discover the circumstances that led to this breach,” said Massachusetts Attorney General Martha Coakley.
Security experts said the stolen payment card data could be used to fabricate false magnetic strip credit cards. And the personal information could be sold on underground exchanges for use in email “phishing” campaigns, aimed at persuading victims to hand over even more sensitive information, such as bank account numbers.
“I think they still have no idea how big this is,” said David Kennedy, a former U.S. Marine Corps cyber-intelligence analyst who runs his own consulting firm, TrustedSec LLC.
Target lowered its fourth-quarter profit forecast, in part due to weaker-than-expected sales since reports of the cyber-attack emerged in mid-December. Target shares closed down just over 1 percent to $62.62, hovering near a year-low.