Target data breach bigger than thought

Target shopper
A customer signs a credit card statement next to a scanner in a Target store on December 19, 2013 in Miami, Florida.
Joe Raedle/Getty Images

The holiday data breach at Target is worse than the company previously knew.

Target officials say hackers grabbed personal information of 70 million customers, including their names, phone numbers and email and mailing addresses.

The company has not determined how many of those people are among the 40 million Target shoppers who had credit and debit cards number stolen from late November to mid-December while they shopped Target stores.

However, Target spokeswoman Molly Snyder said the personal data was taken at the same time the payment card information was. She would not detail how the hackers obtained the personal information.

"Same criminals, same time frame. But two distinct pockets of information," Snyder said. "There certainly may be some overlap. But it's too early to determine."

At least partly in response to the data theft, Target lowered its quarterly sales and earnings forecast. Company officials also have apologized to customers.

"I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this," CEO Gregg Steinhafel said in a statement.

The potential harm to consumers depends on the breadth of information taken, cyber security expert Bruce Schneier said.

"If it's name, address, email address, phone numbers, that's basically a phone ... not that much," Schneier said. "If it includes account information, if it includes financial information, then potentially there are avenues of fraud. It depends on the kind of information taken and how fresh it is."

Target continues to assure customers they will have no liability for fraudulent charges. The retailer is offering customers free credit monitoring and identity theft protection. It is also warning shoppers to watch out for e-mail, phone and other scams that could be based on stolen information.

Company officials said customers should particularly be wary of requests for Social Security numbers, passwords, user IDs and financial account information, as well as mass emails asking for money.

Although Target has not seen much fraud related to the data theft, company officials won't say how many such transactions have occurred.

Schneier said the payment card industry is pretty good at thwarting crooks.

"The credit industry is good at detecting fraudulent spending patterns, at giving you new cards, refunding your money and making this as painless as possible to the customer," he said. "The industry wants the customers to keep using their credit cards. And this fraud to the extent it makes people scared costs the industry money."

Although the data theft is probably headache facing Target, it is not the only one.

Target has been struggling with its entry into Canada, losing hundreds of millions of dollars in that venture last quarter. Meanwhile, worried consumers have been holding on to their wallets.

Retail industry consultant Howard Davidowitz figures the data breach will cost Target dearly as it copes with penalties and other costs related to the information theft.

"My guess is they will take an accounting reserve in the amount of hundreds of millions of dollars, with all the costs they'll have --card reissuance, litigation, government investigations all kinds of things," he said.

Target has worked hard to convince customers to use its REDcard debit and credit cards, which provide incentives for the retailer's best customers to spend more. The cards offer 5 percent discounts on most purchases and, of late, have accounted for about a fifth of Target's sales.

The data breach could hurt the popularity of REDcards, Morningstar retail analyst Ken Perkins said.

"That opportunity could be lost to some extent if fewer people are willing to trust Target with their information on a REDcard," he said.

Target expects sales at stores open at least a year will fall about 2.5 percent this quarter, as sales were weaker than expected after the company acknowledged the data breach last month.

Target also dropped its profit forecast for the quarter by about $200 million. The retailer said this quarter's earnings may include as yet undetermined charges related to the data breach.

But Target has not yet been able to estimate the costs related to the data breach. Company officials said the costs may include liabilities to payment card networks for reimbursements of credit card fraud and card reissuance costs, liabilities related to REDcard fraud and card re-issuance, liabilities from civil litigation. Other costs could include governmental investigations and enforcement proceedings, expenses for legal, investigative and consulting fees, and incremental expenses and capital investments for remediation activities.

Those expenses may hurt Target's financial performance in the current and future quarters.

However, Edward Jones retail analyst Brian Yarbrough expects the flap about the information theft will blow over eventually.

"I don't think longer-term it will impact them," he said. "We've seen this happen with TJX back in 2007 and they managed do extremely well after the fact. So we do think that consumers will eventually start heading back to Target."

Wall Street investors don't seem deterred. While the major indexes were pretty much flat, Target's share price fell by just a little over 1 percent .

Your support matters.

You make MPR News possible. Individual donations are behind the clarity in coverage from our reporters across the state, stories that connect us, and conversations that provide perspectives. Help ensure MPR remains a resource that brings Minnesotans together.