The massive credit card heist at Target stores across the country was nearly three times as large as previously revealed, with the retailer saying 110 million customers were hit -- making it one of the largest security breaches of its kind.
The newly disclosed victims included customers who shopped at Target prior to the start of holiday shopping season.
The company said Friday that as part of its ongoing probe it found that some customer information, apart from the payment card data previously disclosed, was stolen during the data breach. It said this is not a new breach.
The stolen information includes names, mailing addresses, phone numbers or email addresses for up to 110 million individuals.
“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” said Gregg Steinhafel, chairman, president and chief executive officer, Target, in a statement on its website. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”
Target said that much of the data stolen is partial, but in situations where Target has an email address, it will attempt to contact the customers affected by the breach and provide them with tips to guard against consumer scams. Target said it won't ask customers for any personal information when it contacts them.
Even though the data is in bits and pieces, it means some of the previously disclosed stolen credit cards can be used to commit fraud in more places online.
In addition, it could be a precursor to more widespread identity theft. "They steal and combine what was stolen in previous breaches," said Avivah Latan, a fraud analyst at technology research company Gartner. "There are warehouses of information on people and dossiers. Now we've got John's credit card, his address, his phone number... they do put it together and sell entire profiles on people."
Target initially reported in mid-December that about 40 million people who used credit or debit cards at its stores November 27th to December 15th had their information compromised. At that time, the company said the information swiped from its systems included customers' names, expiration dates, credit card numbers, and verification codes.
The breach was first reported by Krebs on Security, a data security blog. It occurred over some of the busiest days of the holiday shopping season, including Black Friday, and ran from Nov. 27 through Dec. 15, according to Target.
It added that customers will have no liability for the cost of any fraudulent charges. And it will offer one year of free credit monitoring and identity theft protection for all customers who shopped in its stores.
In 2007, more than 45 million T.J. Maxx and Marshalls customers had their data stolen in what had been one of the largest U.S. corporate data breaches to date.