Target disclosed on Friday that a mass information breach involved data belonging to up to 110 million individuals—a number far more extensive than originally believed.
The big box retailer said that a probe into the hacking of customers’ personal data found that stolen information—separate from payment information already reported—included names, mailing addresses, phone numbers or email addresses for tens of millions. The new figure was significantly higher than the 40 million the company initially reported.
Although Target previously stated the breach wouldn’t compromise card holders’ accounts, the dramatic rise in the number of people affected called that assumption into question.
Dow Jones reported Friday that Target shoppers’ information was stored separately from the 40 million credit and debit card accounts that the discount chain had said were affected back in December, when the breach was initially reported. Friday’s disclosure indicated that a different system had been hacked.
The third largest U.S. retailer said there was some overlap between the two sets of stolen data but didn’t say how extensive it was. The entry point for the attack has been identified and closed, spokeswoman Molly Snyder said. State attorneys general from around the country are banding together to probe the Target data breach, New York Attorney General Eric Schneiderman said on Friday.
Jaclyn Falkowski, a spokeswoman for the Connecticut Attorney General, said separately that Connecticut is joining with New York and other states in the probe. A Target official could not immediately be reached for comment on the state attorney investigations.
Given the vast amount of personal data at stake, Target’s announcement gave the issue a new sense of urgenty. Experts say thieves may find a way to manipulate sensitive data to withdraw money from card holder accounts, or make other unauthorized transactions. In the wake of the mass theft, the retailer vigorously disputed reports that personal identification numbers (PINs) had been compromised.
“The unfortunate part about this, the part we can’t escape, is that once the information is gone, it’s gone,” Paul Viollis, CEO of Risk Control Strategies, told CNBC in an interview. “The consumer is going to have to monitor on a monthly basis not only their credit card statement, but from their credit bureau as well.”
Regardless of that vigilance, the compromised data “is going to lead the criminal to where the people live, how many homes they have, where they travel to, what they buy, and that whole pattern of whether that person is affluent or not,” Viollis added.
Target has struggled to manage the fallout of the stolen data, which was hacked from the company’s cash registers between late November and early December. The snafu impacted the ability of millions of Americans to withdraw money and make purchases on their bank and credit cards ahead of the critical holiday shopping season.
“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” said Gregg Steinhafel, Target’s president and CEO, in a statement. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”
The company said that is clients would have “zero liability” for costs incurred by fraudulent charges. Additionally, it promised to provide a year of free credit monitoring and identity theft protection to all consumers who shopped at Target locations.
Ian Gordon, equity research analyst at S&P Capital IQ believes the security breach won’t deter shoppers from making future purchases from the retailer although he predicts there will be repercussions.
“I think consumers will come around and we expect there to be some impact probably next year, but over time we think it will work out,” Gordon said on CNBC’s Power Lunch. “The shares are fairly reasonably valued, we see earnings growth pretty strong over the next couple years.”
“The question is going to be, what are the costs to Target in terms of legal and settlements and penalties,” he added.
But not everyone agrees the retailer might be resilient to all the recent bad news.
“Unfortunately Target has released a lot of bad news over the past 12 months including much weaker-than-expected results in Canada, negative traffic in the U.S., and so I think investors have been looking at this stock and saying, ‘how much worse can it get?’ ” said Faye Landes, Cowen & Co.’s managing director on CNBC’s Street Signs.
On CNBC’s Squawk on the Street, Risk Control Strategies CEO Paul Vollis said, “The information that’s available whether or not someone is actually going to know it was stolen, is slim to none.”
Vollis adds he believes Target is being responsible to its consumers and are being transparent with the public. “The unfortunate part about this is that once the information is gone, it’s gone. The consumer is going to have to monitor not only their credit card statement, but from their credit bureau as well.”
sales in the wake of the data breach, Target also cut its fourth-quarter adjusted earnings per share (EPS) forecast for its U.S. operations to $1.20 to $1.30, from $1.50 to $1.60.
Target’s stock, traded on the New York Stock Exchange, fell 1.1 percent in afternoon trading.
By: Javier E. David and Izzy Best, CNBC.com , Reuters and Dow Jones contributed to this article.