Target Corp. says a recent data breach affected far more holiday-season shoppers than the 40 million who had been previously disclosed.
The Minnesota-based retailer also said more personal information may have been compromised than previously believed, including emails and home addresses.
"At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals," a Target press release published Friday says.
Fraud analyst Avivah Litan told the Pioneer Press the additional information that was stolen from those customers is not stored on point-of-sale devices used to access the payment card data. According to Litan, the thieves gaining access to another data source suggests that someone from inside helped.
"It definitely strengthens the case that this was someone embedded in the organization," Litan told the Pioneer Press. "Someone had inside knowledge, whether it was an insider, or an outsider working with an insider."
Target last month had said hackers between Nov. 27 and Dec. 15 stole other types of data – customer names, credit or debit card numbers, expiration dates and three-digit security codes for 40 million customers, the New York Times notes.
The Wall Street Journal reports that the company has clarified that "the 70 million people were separate from the approximately 40 million credit and debit card accounts previously reported as compromised, though there was some overlap."
A breach affecting 70 million or more would make it one of the largest security breaches of its kind ever, NBC News reported.
The new information was discovered by Target as part of its ongoing investigation into the data breach.
Target's press release adds: "Much of this data is partial in nature, but in cases where Target has an email address, the Company will attempt to contact affected guests. This communication will be informational, including tips to guard against consumer scams."
Target has set up a webpage with more information for consumers specific to the breach.
Target has stressed that consumers would not be held liable if their card data are ultimately used in fraudulent purchases. In a Facebook post Friday morning (below), Target said it would offer a year of free credit monitoring to all customers.
“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” said Gregg Steinhafel, Target's chairman, president and chief executive officer. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”
Target officials on Friday also announced that the data breach hurt the retailer's bottom line in the all-important fourth quarter, noting that Target was lowering its outlook for fourth-quarter comparable sales revenue, to a drop of 2 percent to 6 percent.
Target said that stores had stronger-than-expected sales in the fourth quarter prior to the company’s Dec. 13 announcement about the card data breach. But store officials say they had "meaningfully weaker-than-expected sales since the announcement."
A few customers have already started to sue Target over the breach.