Advertisement

SKIP ADVERTISEMENT

For Target, the Breach Numbers Grow

Target on Friday raised its estimate of the number of customers whose credit and debit card data were stolen late in 2013.Credit...Joe Raedle/Getty Images

Target on Friday revised the number of customers whose personal information was stolen in a widespread data breach during the holiday season, now reporting a range of 70 million to 110 million people.

The stunning figure represents about a third of all American adults at the low end, and is nearly three times as great as the company’s original estimate at the upper end. The theft is one of the largest ever of retail data.

Not only did Target’s announcement disclose a vastly expanded universe of victims, but it revealed that the hackers had stolen a broader trove of data than originally reported. The company now says that other kinds of information were taken, including mailing and email addresses, phone numbers or names, the kind of data routinely collected from customers during interactions like shopping online or volunteering a phone number when using a call center.

On Dec. 19, Target confirmed reports that payment data was stolen from about 40 million customers who shopped in its stores in the United States from Nov. 27 to mid-December. As its investigation into the theft continued, the company said it had found that an additional quantity of data, collected over time on 70 million people and stored separately from the in-store data, was stolen.

The latest subset of potential victims includes customers who may not have shopped at Target during the holiday period.

Although there is probably some overlap between the two groups, the company said it did not know the extent.

When Target’s security breach became public in mid-December, customers flooded help lines, the company’s website and its Facebook page expressing worry and irritation. And it now appears that wary customers steered clear of Target stores during the last days of the shopping season, as suggested by the company’s statement on Friday that sales declined noticeably after the disclosure.

The effect of the data theft has reached far beyond one of the nation’s largest retailers. Major credit card companies and banks have been issuing warnings about potential fraud to their customers and providing them with new cards and account numbers as a precaution. Some banks have limited cash withdrawals. As banks and companies continue to monitor customers’ accounts for suspicious activity, the Secret Service and the Justice Department have opened an investigation.

“This will impact many Target business partners — Visa, MasterCard and the host of banks and credit agencies that now have to keep an eye on the 110 million customers now vulnerable to identity theft,” said Hemu Nigam, founder of SSP Blue, a security and privacy consulting firm. “It affects more than Target customers. It affects mortgage lenders and car sales. It affects the entire economic infrastructure.”

Fraud experts said the information stolen from Target’s systems quickly flooded the black market. On Dec. 11, shortly after hackers first breached Target, Easy Solutions, a company that tracks fraud, noticed a 10 to twentyfold increase in the number of high-value stolen cards on black market websites, from nearly every bank and credit union.

The company apologized again on Friday for the broadening violation of its customers’ privacy.

“I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this,” Gregg W. Steinhafel, Target’s chief executive, said in a statement.

Security experts say that clever hackers could potentially piece together customers’ stolen information for identity theft or for use in a so-called spear phishing attack, in which hackers send a highly tailored emails to victims asking them to click on a link or download an attachment that, once opened, gives hackers a foothold into their computers and employers’ networks.

Image
Thanksgiving Day at a Target in Chicago. Target said up to 110 million customers had data stolen, and that some of it was taken before the holiday shopping season.Credit...Jeff Haynes/Reuters

Target has been working with a forensics team at Verizon, and it has also consulted with Mandiant, a security firm specializing in data breach recovery, which recently agreed to be acquired by FireEye, the security software company, for close to $1.1 billion.

After the initial breach, Target said that it had protected customers’ payment information with encryption and that it had stored the keys to descramble it on separate systems not affected in the breach. But the encryption algorithm Target used to protect that data — a standard known as triple DES, or 3DES — is vulnerable in some cases to so-called brute force attacks, when hackers use computers for high-speed guessing. In a breach on Adobe last year, hackers were able to bypass 3DES encryption through brute force attacks and exposed tens of millions of Adobe passwords within weeks of the breach.

On Friday, a Target spokeswoman would not comment on whether the second batch of information stolen from its 70 million customers was encrypted.

In Adobe’s case, too, the number of stolen records was significantly larger than the company initially reported. When Adobe first reported the breach in October, it said hackers had gained access to payment card and personal data for 2.9 million customers, including user names and passwords. By the end of the month, the tally had grown to more than 38 million records.

Until now, the most extensive data breach on record for a retailer was the theft of 90 million records from T. J. Maxx in 2005. The biggest breach over all, however, was in 2009, when the card processor Heartland Payment Systems was targeted and 130 million credit card numbers were stolen.

Security experts say the number of Target customers exposed could still grow. “Like a natural catastrophe, usually a low number of breached records is reported and, as the story unfolds, the number of compromises grows and grows,” said Anup Ghosh, founder of Invincea, a security software company. “In Target’s case, what this highlights is that the point-of-sale systems customers use to swipe their credit cards are connected to the corporate network like everything else. There is lots of opportunity to compromise individuals through point-of-sale machines and then pivot to the corporate network.”

Mr. Ghosh said he suspected that hackers might use the trove of email addresses to send spoofed correspondence from Target, asking users for more information than they would typically be asked to enter, such as a mother’s maiden name or a Social Security number, that hackers could use for identity theft, or to take their credentials and use it for cybercrime.

Jay Mayfield, a spokesman for the Federal Trade Commission, the federal agency charged with investigating data breaches, said he could not comment on the Target breach or confirm whether the agency was investigating.

Historically, the agency has filed nearly 50 lawsuits against companies in cases where it found that the company’s data security was not up to acceptable standards.

The holiday season is a critical time for most retailers, and it can account for 20 to 40 percent of a retailer’s annual sales, according to industry groups. Long before the data breach, Target’s executives predicted a flat sales season.

Once Target disclosed the theft to consumers, sales dropped. The company tried to entice wary customers to shop by offering a 10 percent discount on purchases in its stores the weekend before Christmas, but the damage to customer loyalty surfaced in the latest sales figures. Target said the decline in sales after the breach was disclosed might be 2 to 6 percent among stores that had been open at least a year, in contrast to the previous season.

The company said it had started to see some improvement in its performance in recent days.

In yet more grim news from Target, the retailer announced on Friday that it would close eight United States stores in May, in locations including Las Vegas, Memphis and Middletown, Ohio.

As Target continued to investigate its breach, another major retailer, Neiman Marcus, confirmed on Friday that it, too, had been breached. The retailer, based in Texas, said it began investigating reports of fraudulent activity on credit cards belonging to customers who had recently shopped in its stores and discovered it was the result of an intrusion on its systems. The company said some customers’ credit card details may have been stolen, but did not say how many records were potentially compromised.

A version of this article appears in print on  , Section B, Page 1 of the New York edition with the headline: For Target, the Breach Numbers Grow. Order Reprints | Today’s Paper | Subscribe

Advertisement

SKIP ADVERTISEMENT