Target said Friday that as many as 110 million people may have been affected by a security breach of its data system from Nov. 27 to Dec. 15. — up to 70 million of whom had their personal information stolen and about 40 million people who had their payment card data stolen.
Target is investigating whether there is any overlap between the two groups of customers. Target spokesman Joshua Thomas said the information was stolen in one breach, but affects two discrete groups of customers. It's possible there exists "some crossover between the two groups," Thomas said, but he added that, if there is no overlap, the affected customers could number up to 110 million.
The company said personal information could include consumer names, phone numbers, mailing addresses and email addresses.
"I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this," said Gregg Steinhafel, Target's CEO, in a statement. "I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team."
It is unclear how many shoppers in Southern California were affected. Thomas said the company hasn't released data showing how many shoppers were affected by region.
Sales have already suffered since the breach was first announced last month. Target revised its fourth quarter earnings guidance from $1.20 to $1.30 earnings per share, compared to its past guidance of $1.50 to $1.60 earnings per share.
Britt Beemer, CEO of America's Research Group, called the security breach a "black eye" for Target.
"Consumers have less money today, so when they spend their money, they are very cautious. The question is, how many people who shop at Target are saying, 'I'm not going to go there for a while until I know it's safe to shop there'?" Beemer said.
There is "no indication" that Social Security numbers were stolen, Target said on its website, and they added that they believe PIN numbers are safe and secure. The retailer said it would offer one year of free credit monitoring and identity theft protection for Target consumers, with more details shared in the next week. Target also said customers won't be liable for fraudulent purchases from the breach.
Monterey Park resident and Target customer Chris Lai said would still shop at Target despite the security breach.
"I'm not nervous about shopping at Target," Lai told KPCC's Josie Huang in December. "I'm nervous about using credit cards."
— Wendy Lee
Previously: The size of the data breach at Target Co. stores late last year took a sharp rise Friday when the retailer said it now estimates that thieves stole personal information of up to 70 million individuals, including their "names, mailing addresses, phone numbers or email addresses."
Previously, as we have reported, Target had said that "approximately 40 million credit and debit card accounts may have been impacted" when its customers' accounts were hacked during the height of the holiday shopping season.
In its statement Friday morning, the retailer said:
- "As part of Target's ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach."
- "This theft is not a new breach, but was uncovered as part of the ongoing investigation."
- "Guests will have zero liability for the cost of any fraudulent charges arising from the breach. To provide further peace of mind, Target is offering one year of free credit monitoring and identity theft protection to all guests who shopped our U.S. stores. Guests will have three months to enroll in the program. Additional details will be shared next week. To learn more, please go to target.com/databreach."
Target has 1,797 stores in the U.S. and 124 in Canada.
This story has been updated.