Target Corp. announced Friday that personal information from as many as 70 million people may have been stolen in the data breach the company originally announced on Dec. 19.
The announcement upped the ante on the nature stolen data, as the new security breach numbers are in addition to the 40 million cards the the Minneapolis-based retailer had previously said had been compromised. Target also said the breach may have lasted longer than original dates of Nov. 27 to Dec. 15.
“As part of Target’s ongoing forensic investigation, it has been determined that certain guest information – separate from the payment card data previously disclosed – was taken during the data breach," the retailer said in a release.
That includes names, mailing addresses, phone numbers or email addresses for up to 70 million people, the company said.
Read more about the Target breach.
The new numbers now mean the breach has eclipsed the estimated 90 million accounts affected by the years-long TJX breach before its discovery was announced in 2007.
Target said much of the data stolen is partial in nature and added it would be contacting customers for whom it has emails, offering information about guarding against consumer scams.
The company also reiterated that its customers have no liability for fraudulent charges arising from the breach and that it is offering a free year of credit monitoring and identity theft protection to anyone who shopped at its U.S. stores.
“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” said Target Chairman and President/CEO Gregg Steinhafel.
The announcement also said that Target sales and earnings have been impacted by the breach, reporting “meaningfully weaker-than-expected sales since the announcement, which have shown improvement in the last several days and a comparable sales decline of 2% to 6% for the remainder of the quarter.”