By Dhanya Skariachan and Jim Finkle
NEW YORK/BOSTON Jan 10 The data breach at
Target Corp over the holiday shopping season was far
bigger than initially thought, the U.S. company said on Friday,
as state prosecutors announced a nationwide probe into the
second-biggest retail cyber attack on record.
Target said an investigation found that hackers stole the
personal information of at least 70 million customers, including
names, mailing addresses, telephone numbers and email addresses.
Previously, the No. 3 U.S. retailer said the hackers stole data
from 40 million credit and debit cards.
The two sets of numbers likely contained some overlap, but
the extent was not clear, according to Target spokeswoman Molly
Snyder. She said some of the victims did not shop at Target
stores during the period of the breach, between Nov. 27 and Dec.
15, and that their personal information was stolen from a
database.
"I know that it is frustrating for our guests to learn that
this information was taken and we are truly sorry they are
having to endure this," Target Chief Executive Gregg Steinhafel
said in the statement on Friday.
Attorneys general from New York, Connecticut, Massachusetts
and Minnesota said they were joining a nationwide probe into the
security breach. A source familiar with the joint probe said
more than 30 states were involved.
"A breach of this magnitude is extremely disconcerting and
we are participating in a multi-state investigation to discover
the circumstances that led to this breach," Massachusetts
Attorney General Martha Coakley said.
Security experts said the stolen payment card data could be
used to fabricate false magnetic strip credit cards. And the
personal information could be sold on underground exchanges for
use in email "phishing" campaigns, aimed at persuading victims
to hand over even more sensitive information, such as bank
account numbers.
"I think they still have no idea how big this is," said
David Kennedy, a former U.S. Marine Corps cyber-intelligence
analyst who runs his own consulting firm, TrustedSec LLC.
Target lowered its fourth-quarter profit forecast, in part
due to weaker-than-expected sales since reports of the
cyber-attack emerged in mid-December. Target shares closed down
just over 1 percent to $62.62, hovering near a year-low.
The largest known breach at a U.S. retailer, uncovered in
2007, was at TJX Cos Inc, operator of the T.J. Maxx and
Marshalls chains, where more than 90 million credit cards were
stolen over about 18 months.
On Friday, Neiman Marcus revealed it too had
been the victim of a security breach.
The high-end department store was informed by its
credit-card processor in mid-December of possible unauthorized
card activity that followed customer purchases at Neiman Marcus
stores, spokeswoman Ginger Reeder said.
A subsequent investigation turned up evidence on Jan. 1 of a
"criminal cybersecurity intrusion" that may have compromised an
unknown number of customers' cards, the company said.
Neiman Marcus, owned by the Canada Pension Plan Investment
Board and private equity firm Ares Management LLC, is still
investigating and said it did not know at this time how many
customers may have been affected. Nor was it immediately clear
whether it was linked to the Target incident.
FRAUD REPORTS GROWING
Reports of fraudulent card charges have been growing since
the Target breach was disclosed, said an executive at one major
card issuer who asked not to be identified.
The full magnitude of the damage will not likely be known
until later in January, when customers receive and examine their
monthly statements and call their banks, the executive said. He
added that, in past cases, it has taken 30 to 45 days for the
vast majority of bad charges to surface.
Target and credit card issuers have said customers will have
zero liability for the cost of any fraudulent charges.
Harlan Loeb, global chairman of the crisis and risk
management practice at Edelman, said Target should have been
more proactive in communicating with its customers. He thinks
Target will have a tougher task containing the situation than
TJX did.
"The game has changed so dramatically since 2007," Loeb
said, citing "the dramatic escalation of information channels
and the sophistication of hackers."
"The one thing that should be part of any crisis plan is the
specter that you might have to be in communication with hundreds
of thousands of customers instantly," Loeb said. "There was an
element of that missing" in Target's case.
According to a Reuters/Ipsos poll, 40 percent of people who
shopped at Target during the period of the data breach had not
been notified about the incident. Thirty-one percent said they
had been notified by Target and 28 percent said they had been
notified by their bank or credit card company. The results
represent 640 surveys conducted from Jan. 2 to Jan. 10, with a
margin of error of plus or minus 4.5 percentage points.
In the wake of the Target breach, Senate Judiciary Committee
Chairman Patrick Leahy introduced on Wednesday a new version of
a 2005 bill that seeks to improve how companies protect consumer
data from cyber thieves. It would set criminal penalties for
intentional or willful concealing of a personal data breach that
causes economic damage to consumers, and ensure that conspiring
or attempting to commit computer fraud would face the same
penalties as completed offenses.
"This is a terrible situation and it's upsetting to see that
the scope of this breach is larger than first thought," said
Senator Al Franken of Minnesota, who is one of three Democrats
currently signed on to Leahy's bill as co-sponsors.
"Data breaches like this one, and past breaches such as at
T.J. Maxx and Sony PlayStation, raise important questions about
the responsibilities corporations have to protect consumer data
and inform their customers when data have been compromised."
Senator Richard Blumenthal, a Connecticut Democrat, is also
co-sponsoring the bill.
"Disclosures about Target's even broader breaches of
customer information will rightly add alarm and anger. Now, more
than ever, an FTC investigation is necessary - and should be
publicly confirmed - so that consumers know their rights and
interests are protected," Blumenthal said in a statement.
The Federal Trade Commission privacy spokesman declined to
comment, saying the agency does not confirm or deny the
existence of investigations.
Data breach laws are more specific on the state level and
the FTC can only bring lawsuits under the FTC act against
companies if they are deemed to not have protected the data
properly.
TOTAL COST UNKNOWN
On Friday, Target cut its fourth-quarter adjusted earnings
forecast for U.S. operations to between $1.20 and $1.30 per
share, down from $1.50 to $1.60. The Minneapolis-based company
also forecast a 2.5 percent decline in fourth-quarter same-store
sales. It had forecast flat sales.
Target expects full-year earnings per share to include
charges related to the data breach, but said it could not
estimate the costs.
Janney Capital Markets analyst David Strasser described
Target's holiday sales report card as "dismal."
"We all knew it was going to be bad at Target, but it was
the magnitude of decline that was unclear," he said. "Clearly,
the first half of the fourth quarter was impacted by an
aggressive holiday season across retail, but the credit card
data breach had a significant impact post Dec. 19.
"The key risk remains the time it takes for consumers to
forgive Target. If this is like past breaches this should
normalize as the year progresses," Strasser added.