The Target data breach story keeps getting worse. The December pre-Christmas disclosure was the theft of up to 40 million Target shoppers’ credit and debit card information in what appeared to have been a hack of the Target point-of-sale system that allowed the thieves to swipe magnetic card data as customers checked out. About a week later, we learned that debit card PIN data had indeed been swiped in addition to the card numbers, but according to Target, the PINs were encrypted.
Today’s news is that Target has discovered that the personal information of up to an additional 70 million Target customers was also stolen — such information includes names, mailing addresses, phone numbers and email addresses. There is likely crossover between the 40 million affected customers and the new 70 million number, but whatever that crossover is, it still makes the total number of records affected somewhere between 70 million and 110 million.
In a statement released this morning, Target said that much of this additional stolen data is “partial in nature,” but in the case where the retailer has customer email addresses, it will attempt to contact those affected customers and alert them to the issue. The email will provide consumer protection information, like how to guard against scams, and will remind customers that Target will never ask for a customer’s personal information via an email message.
“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” said Gregg Steinhafel, Target chairman, president and chief executive officer, in a statement today. The company added that Target shoppers will have zero liability for any of the fraudulent charges arising from this breach, and is also offering a year of free credit monitoring and identity theft protection to all who shopped Target’s U.S. stores when the attack occurred.
For more information: ABC News
Krebs on Security
Forbes