The data breach at Target Corp over the holiday shopping season was far bigger than initially thought, the US company said on Friday, as state prosecutors announced a nationwide probe into the second-biggest retail cyberattack on record.
Target said an investigation found that hackers stole the personal information of at least 70 million customers, including names, mailing addresses, telephone numbers and e-mail addresses. Previously, the No. 3 US retailer said the hackers stole data from 40 million credit and debit cards.
The two sets of numbers likely contained some overlap, but the extent was not clear, according to Target spokeswoman Molly Snyder. She said some of the people did not shop at Target stores during the period of the breach, between Nov. 27 and Dec. 15, and that their personal information was stolen from a database.
“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” Target chief executive Gregg Steinhafel said in the statement on Friday.
Attorneys general from New York, Connecticut, Massachusetts and Minnesota said they were joining a nationwide probe into the security breach. A source familiar with the joint probe said more than 30 states were involved.
“A breach of this magnitude is extremely disconcerting and we are participating in a multi-state investigation to discover the circumstances that led to this breach,” Massachusetts Attorney General Martha Coakley said.
Security experts said the stolen payment card data could be used to fabricate false magnetic strip credit cards. And the personal information could be sold on underground exchanges for use in e-mail “phishing” campaigns, aimed at persuading victims to hand over even more sensitive information, such as bank account numbers.
“I think they still have no idea how big this is,” said David Kennedy, a former US Marine Corps cyberintelligence analyst who runs his own consulting firm, TrustedSec LLC.
The largest known breach at a US retailer, uncovered in 2007, was at TJX Cos Inc, operator of the T.J. Maxx and Marshalls chains, where details from more than 90 million credit cards were stolen over about 18 months.
On Friday, Neiman Marcus revealed it too had been the victim of a security breach.
The high-end department store was informed by its credit-card processor in mid-December of possible unauthorized card activity that followed customer purchases at Neiman Marcus stores, spokeswoman Ginger Reeder said.
A subsequent investigation turned up evidence on Jan. 1 of a “criminal cybersecurity intrusion” that may have compromised an unknown number of customers’ cards, the company said.
Neiman Marcus, owned by the Canada Pension Plan Investment Board and private equity firm Ares Management LLC, is still investigating and said it did not know at this time how many customers may have been affected. Nor was it immediately clear whether it was linked to the Target incident.