Target Says Data Breach Puts Up to 110 Million People at Risk

Target Corp. said Friday that the thieves who accessed its data system from late November through mid-December also obtained personal information on 70 million customers, an exposure of data that’s well beyond the financial information on 40 million people it initially reported.

The company said its ongoing investigation of the breach revealed that names, mailing addresses, phone numbers and email addresses were exposed, at least in partial form, to the hackers who accessed its data system.

The company also said it will close eight poorly performing stores in its 1,800-unit chain, the first time in recent memory it has shut down such a large number at once.

In announcing the new details, Target said, “The theft is not a new breach.” But spokeswoman Molly Snyder later said the possibility exists that the personal-information exposure involves different people than the financial one.

If so, as many as 110 million people had data stolen from Target’s system from Nov. 27 to Dec. 15. The number is probably smaller, however, since there is likely overlap in the two groups.

To date, little fraud has been reported related to the breach. But since it was initially announced on Dec. 19, Target has twice been forced to acknowledge that more information got out than it had thought. On Dec. 27, Target said that customers’ PINs were exposed.

“I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this,” said Gregg Steinhafel, chairman, president and chief executive officer at Target. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”

In addition, the company revealed its own financial impact from the theft for the first time, saying that shoppers turned away from its stores after the incident was revealed on Dec. 19, and that it expects lower sales and profits as a result.

Target said that customers would encounter “zero liability” from any damage they suffer due to the theft of Target’s data. It offered to provide free credit monitoring and identity-theft protection for customers for a year.

The data breach is one of the largest involving a U.S. corporation. Hackers inserted malicious software onto the point-of-sale terminals where Target customers swiped their credit and debit cards for payment at the end of a shopping excursion.

After it was revealed on Dec. 19, customers swamped the company with phone calls seeking details, politicians criticized the company and the Justice Department launched an investigation. Some banks temporarily imposed limits on the amount of money that could be withdrawn from accounts that people used to pay Target.

Investors, however, have been less shaken. Target shares have been volatile, but traded in a tight range of about $61.50 to $63.50 per share.

In its discussion of the financial impact, Target said that sales turned “meaningfully weaker” after the incident was revealed in mid-December. It lowered its outlook for fourth-quarter comparable sales revenue to a drop of 2.5 percent. It previously thought such sales would be unchanged from the year-earlier period.

Target also said that it expects further charges against earnings for costs related to the breach, but that at the present time, it could not estimate their size.

The company’s statement comes at the end of a week of bad news from U.S. retailers, with many saying that year-end sales fell below expectations. Specialty stores like Bed Bath & Beyond, American Eagle Outfitters and Pier 1 Imports all told investors to expect lower-than-expected results, and Sears Holding Corp. late Thursday said it expected to report a net loss for the latest period.

Target said that it now expects its fourth-quarter profit to be in a range of $1.20 to $1.30 a share, down from its previous expectation of $1.50 to $1.60 a share.

Executives said the company’s sales were doing better than they had expected before the data breach was revealed on Dec. 19.

In addition to the potential costs of the data breach, Target said its fourth-quarter performance will be weakened by expenses related to closing eight stores, some real estate costs and some costs related to its massive expansion in the Canadian market this year, where it opened more than 100 stores.

Target is closing two stores in Nevada, two in Ohio, and one each in Florida, Georgia, Illinois and Tennessee.

“In light of the recent data breach, our top priority is taking care of our guests and helping them feel confident in shopping at Target,” John Mulligan, Target’s chief financial officer, said in a statement. “At the same time, we remain keenly focused on driving profitable top-line growth and investing our resources to deliver superior financial results over time. While we are disappointed in our 2013 performance, we continue to manage our business with great discipline and leverage our expense optimization efforts to reinvest in multichannel initiatives that generate long-term value for our shareholders.”