Target said an investigation found that hackers stole the personal
information of at least 70 million customers, including names,
mailing addresses, telephone numbers and email addresses.
Previously, the No. 3 U.S. retailer said the hackers stole data from
40 million credit and debit cards.
The two sets of numbers likely contained some overlap, but the
extent was not clear, according to Target spokeswoman Molly Snyder.
She said some of the victims did not shop at Target stores during
the period of the breach, between November 27 and December 15, and
that their personal information was stolen from a database.
"I know that it is frustrating for our guests to learn that this
information was taken and we are truly sorry they are having to
endure this," Target Chief Executive Gregg Steinhafel said in the
statement on Friday.
Attorneys general from New York, Connecticut, Massachusetts and
Minnesota said they were joining a nationwide probe into the
security breach. A source familiar with the joint probe said more
than 30 states were involved.
"A breach of this magnitude is extremely disconcerting and we are
participating in a multi-state investigation to discover the
circumstances that led to this breach," Massachusetts Attorney
General Martha Coakley said.
Security experts said the stolen payment card data could be used to
fabricate false magnetic strip credit cards. And the personal
information could be sold on underground exchanges for use in email
"phishing" campaigns, aimed at persuading victims to hand over even
more sensitive information, such as bank account numbers.
"I think they still have no idea how big this is," said David
Kennedy, a former U.S. Marine Corps cyber-intelligence analyst who
runs his own consulting firm, TrustedSec LLC.
Target lowered its fourth-quarter profit forecast, in part due to
weaker-than-expected sales since reports of the cyber-attack emerged
in mid-December. Target shares closed down just over 1 percent to
$62.62, hovering near a year-low.
The largest known breach at a U.S. retailer, uncovered in 2007, was
at TJX Cos Inc, operator of the T.J. Maxx and Marshalls chains,
where more than 90 million credit cards were stolen over about 18
On Friday, Neiman Marcus revealed it too had been the victim of a
The high-end department store was informed by its credit-card
processor in mid-December of possible unauthorized card activity
that followed customer purchases at Neiman Marcus stores,
spokeswoman Ginger Reeder said.
A subsequent investigation turned up evidence on January 1 of a
"criminal cybersecurity intrusion" that may have compromised an
unknown number of customers' cards, the company said.
Neiman Marcus, owned by the Canada Pension Plan Investment Board and
private equity firm Ares Management LLC, is still investigating and
said it did not know at this time how many customers may have been
affected. Nor was it immediately clear whether it was linked to the
FRAUD REPORTS GROWING
Reports of fraudulent card charges have been growing since the
Target breach was disclosed, said an executive at one major card
issuer who asked not to be identified.
The full magnitude of the damage will not likely be known until
later in January, when customers receive and examine their monthly
statements and call their banks, the executive said. He added that,
in past cases, it has taken 30 to 45 days for the vast majority of
bad charges to surface.
Target and credit card issuers have said customers will have zero
liability for the cost of any fraudulent charges.
Harlan Loeb, global chairman of the crisis and risk management
practice at Edelman, said Target should have been more proactive in
communicating with its customers. He thinks Target will have a
tougher task containing the situation than TJX did.
"The game has changed so dramatically since 2007," Loeb said, citing
"the dramatic escalation of information channels and the
sophistication of hackers."
[to top of second column]
"The one thing that should be part of any crisis plan is the specter
that you might have to be in communication with hundreds of
thousands of customers instantly," Loeb said. "There was an element
of that missing" in Target's case.
According to a Reuters/Ipsos poll, 40 percent of people who shopped
at Target during the period of the data breach had not been notified
about the incident. Thirty-one percent said they had been notified
by Target and 28 percent said they had been notified by their bank
or credit card company. The results represent 640 surveys conducted
from January 2 to January 10, with a margin of error of plus or
minus 4.5 percentage points.
In the wake of the Target breach, Senate Judiciary Committee
Chairman Patrick Leahy introduced on Wednesday a new version of a
2005 bill that seeks to improve how companies protect consumer data
from cyber thieves. It would set criminal penalties for intentional
or willful concealing of a personal data breach that causes economic
damage to consumers, and ensure that conspiring or attempting to
commit computer fraud would face the same penalties as completed
"This is a terrible situation and it's upsetting to see that the
scope of this breach is larger than first thought," said Senator Al
Franken of Minnesota, who is one of three Democrats currently signed
on to Leahy's bill as co-sponsors.
"Data breaches like this one, and past breaches such as at T.J. Maxx
and Sony PlayStation, raise important questions about the
responsibilities corporations have to protect consumer data and
inform their customers when data have been compromised."
Senator Richard Blumenthal, a Connecticut Democrat, is also
co-sponsoring the bill.
"Disclosures about Target's even broader breaches of customer
information will rightly add alarm and anger. Now, more than ever,
an FTC investigation is necessary — and should be publicly confirmed — so that consumers know their rights and interests are protected,"
Blumenthal said in a statement.
The Federal Trade Commission privacy spokesman declined to comment,
saying the agency does not confirm or deny the existence of
Data breach laws are more specific on the state level and the FTC
can only bring lawsuits under the FTC act against companies if they
are deemed to not have protected the data properly.
TOTAL COST UNKNOWN
On Friday, Target cut its fourth-quarter adjusted earnings forecast
for U.S. operations to between $1.20 and $1.30 per share, down from
$1.50 to $1.60. The Minneapolis-based company also forecast a 2.5
percent decline in fourth-quarter same-store sales. It had forecast
Target expects full-year earnings per share to include charges
related to the data breach, but said it could not estimate the
Janney Capital Markets analyst David Strasser described Target's
holiday sales report card as "dismal."
"We all knew it was going to be bad at Target, but it was the
magnitude of decline that was unclear," he said. "Clearly, the first
half of the fourth quarter was impacted by an aggressive holiday
season across retail, but the credit card data breach had a
significant impact post December 19.
"The key risk remains the time it takes for consumers to forgive
Target. If this is like past breaches this should normalize as the
year progresses," Strasser added.
(Additional by Karen Freifeld and Jilian
Mincer in New York, Alina Selyukh in Washington and Siddharth Cavale
in Bangalore; writing by Richard Valdmanis; editing by Tiffany Wu,
Jeffrey Benkoe and Leslie Adler)
[© 2014 Thomson Reuters. All rights
Copyright 2014 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.