Breach goes from bad to worse for Target and its customers

Company now says up to 70 million cards exposed -- up from 40 million -- and that hackers accessed more data than previously thought

Target's acknowledgement Friday that personal data of 70 million people, not 40 million as previously thought, may have been exposed to hackers in a recent data breach raises new questions about the incident and how it could affect victims.

Target today also said that an ongoing investigation of the data breach has revealed that "guest information" such as names, mailing addresses, phone numbers, and email addresses of customers may have been accessed by the same thieves who hacked into its systems last month.

Much of the exposed data is "partial in nature," the company said in a statement this morning. In cases where a customer email address is available, Target said it would attempt to contact affected individuals.

"We know that it is frustrating for our guests to learn that this information was taken and we are sorry they are having to endure this," said Target chairman and CEO Gregg Steinhafel in the statement.

Target in mid-December revealed that hackers had broke into its systems between Nov. 27 and Dec. 15 and accessed data on up to 40 million debit and credit cards. At the time, Target said that hackers gained access to cardholder names, credit or debit card numbers, card expiration dates and CVV security codes.

Target now says that its subsequent investigation found that data from 30 million more cards was exposed. "This theft is not a new breach, but was uncovered as part of the ongoing investigation," the company said.

The update shows that the breach exposed data on about one third of the adult population of the United States, noted James Huguelet, and independent security consultant who specializes in retail security. "It now implies that consumers who shopped at Target outside of the approximately one month the breach was active have now become potentially affected by this breach," he said. Target's statement suggests that in some cases, only an individual's e-mail address might have been compromised, while in others, the mailing address might have been exposed. Huguelet said the "partial" exposure implies "that multiple systems containing different types of information were compromised [though] that's purely speculative at this point."

Hackers using the stolen information can now target victims with highly sophisticated spear-phishing attacks Huguelet warned.

"I can see a criminal being able to create a very effective attack with each e-mail sent having been customized to include the target's name, address, and phone number. This could very well lead to a massive wave of identity theft across the United States," he said.

Huguelet suggested that all Target customers accept the retailer's offer to provide free credit monitoring, though he added, "I'm surprised that Target is not making this available immediately." Attacks could already be underway and the credit monitoring may come too late for some victims, he said.

Steve Ward, a spokesman for security vendor Invincea, said Target customers should already be on high alert for phishing attacks. The stolen data allows attackers to craft very convincing emails in attempts to pry loose sensitive data.

"Seventy million active email addresses is a treasure trove for cyber criminal. They now have emails they know are active and linked to Target," he said. Where possible, he suggests that individuals with email addresses linked to Target deactivate them.

If the email address is too difficult to change, individuals have to be continually on the lookout for phishing attempts, not just for days, but for months and perhaps years as well, he said.

Credit and debit card information stolen from Target is already being used in new ways. Compromised cards are being marketed online with information on the state, city and ZIP code of the Target store where they were used.

Fraud experts suggest that the location information will likely allow buyers of the stolen data to use spoofed versions of cards issued to people in their immediate vicinity.

Local use of a card makes it more likely that crooks can use it for a longer period of time because fraud detection tools used by banks and other card issuers use locations and frequency of card use to determine potential criminal activity. Banks often decline transactions or require additional authentication only for card transactions that originate from new or unexpected locations.

The breach could be very costly for Target, especially considering the findings of its investigation. TJX and Heartland were hit with similar massive attacks have so far paid well over $100 million in breach-related costs, many in relation to outside investigations.

In the statement today, Target said it expects fourth-quarter sales and earnings to be substantially lower than the results expected before the breach was discovered.

The adjusted earning per share for the fourth quarter is now $1.20 to $1.30 compared to prior guidance of $1.50 to $1.60. Sales during the quarter are now expected to be nearly 2.5% lower than previously expected.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingTargetsecurityMalware and Vulnerabilities

More about FTCTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts