MINNEAPOLIS – Target Corp. said Friday that the thieves who accessed its data system from late November through mid-December also obtained personal information on 70 million customers, an exposure of data that’s well beyond the financial information on 40 million people it initially reported.
The company said its ongoing investigation of the breach revealed that names, mailing addresses, phone numbers and email addresses were exposed, at least in partial form, to the hackers who accessed its data system.
The Minneapolis-based company also said it will close eight poorly performing stores in its 1,800-unit chain, the first time in recent memory it has shut down so many at once.
In announcing the new details, Target said, “The theft is not a new breach.” But spokeswoman Molly Snyder later said the possibility exists that the personal information exposure involves different people than the financial one.
If so, as many as 110 million people had data stolen from Target’s system from Nov. 27 to Dec. 15. The number is probably smaller, however, since there is likely overlap in the two groups.
To date, little fraud has been reported related to the breach. But since it was initially announced in Dec. 19, Target has twice been forced to acknowledge that more information got out than it thought. On Dec. 27, Target said that customers’ PINs were exposed.
Target said its sales turned “meaningfully weaker” after the incident was revealed in mid-December. It lowered its outlook for fourth-quarter comparable sales revenue to a drop of 2.5 percent.
It previously thought such sales would be unchanged from the year-earlier period.
Target said that customers would encounter “zero liability” from any damage they suffer due to the theft of Target’s data. It offered to provide free credit monitoring and identity-theft protection for customers for a year.