NEW YORK (AP) — Fallout from Target's pre-Christmas security breach is likely to affect the company's sales and profits well into the new year.
Tips for consumers worried about the Target breach
BREE FOWLER, AP Technology Writer
NEW YORK (AP) — Target's massive pre-Christmas security breach may have affected more than 70 million people.
The incident could turn out to be one of the largest data breaches on record for a retailer, surpassing an incident uncovered in 2007 that saw more than 90 million records pilfered from TJX Cos. Inc.
Target Corp. disclosed last month that about 40 million credit and debit cards may have been affected by the breach that occurred between Nov. 27 and Dec. 15. But according to new information released Friday, those criminals also stole personal information — including names, phone numbers as well as email and mailing addresses — from as many as 70 million customers who could have shopped at stores outside of that timeframe.
Some overlap exists between the two data sets.
Here's what you need to know if you think your data was compromised:
Q: How did this happen?
A: Target has said that the breach was caused by malware that affected its U.S. stores.
Ken Stasiak, founder and CEO of SecureState, a Cleveland-based information security firm that investigates data breaches like this one, says it's likely that the perpetrators infiltrated Target's main information hub with malware and from there were able to access the store point-of-sale systems. Once the malware was in the POS systems, it could collect credit and debit card numbers as the cards were swiped.
Stasiak notes that retailers routinely collect personal information such as addresses, emails and phone numbers through things such as rewards cards when sales are made, so that information is also contained on POS systems just like credit card numbers.
Q: If my card number was stolen, what exactly am I on the hook for?
A: In most cases consumers aren't responsible for fraudulent credit card charges.
Credit card companies are often able to flag the charges before they go through and shut down your card. If that doesn't happen, the card issuer will generally strip charges you claim are fraudulent off your card immediately. Usually the worst thing consumers have to deal with is the hassle of getting a new credit card.
But since debit cards don't come with all of the same protections, holders of those kinds of cards may have a harder time getting their money back.
And the banks and credit card companies ultimately won't be stuck with the bills, either. Since the fraud has been tied to Target, the retailer will be responsible for compensating them.
Q: What are the odds that my identity will be stolen?
A: There's no way to know. But Stasiak says the revelation that personal information was taken in addition to credit and debit card data makes it much more likely that the thieves weren't just out to steal credit card numbers for financial gain.
For instance, criminals could use that personal information to send specific phishing emails to Target shoppers that prompt them to click on links that send malware to their own computers and steal even more information.
And identity theft damage could be much harder for victims to repair than credit card fraud. In addition, if the theft is discovered months or even years down the road, it will be much harder to tie to the Target breach, Stasiak says.
Q: What should I do to protect myself?
A: Consumers who think they may be affected should check their credit card statements carefully for potentially fraudulent charges. Experts say in cases like this when a huge amount of information is stolen, the thieves often sell it on the black market to the highest bidder. As a result, it could be a while before someone tries to use the information for nefarious purposes.
If you see suspicious charges, report the activity to your credit card companies and call Target at 866-852-8680. You can report cases of identity theft to law enforcement or the Federal Trade Commission.
Stasiak says that since it could be a long time before identity theft victims even realize they've been hit, people should take Target up on its offer of free credit monitoring. Those services, for instance, inform consumers if someone takes out a loan in their name.
He also advises potential victims to change email passwords and to make sure that the same passwords aren't being used for other accounts like Facebook. And while the company has not said that its website was compromised in the attack, he says shoppers also should change their passwords related to those, since it's apparent that Target doesn't yet have a full grasp of the damage.
Consumers can get more information about identity theft on the FTC's website at www.consumer.gov/idtheft, or by calling the FTC, at 877- IDTHEFT (438-4338).
The company disclosed on Friday that the massive data theft was significantly more extensive and affected millions more shoppers than the company reported in December. As a result of the breach, millions of Target customers have become vulnerable to identity theft, experts say.
The nation's second largest discounter said hackers stole personal information — including names, phone numbers as well as email and mailing addresses — from as many as 70 million customers as part of a data breach it discovered last month.
Target announced on Dec. 19 that some 40 million credit and debit card accounts had been affected by a data breach that happened between Nov. 27 and Dec. 15 — just as the holiday shopping season was getting into gear.
As part of that announcement, the company said customers' names, credit and debit card numbers, card expiration dates, debit-card PINs and the embedded code on the magnetic strip on the back of cards had been stolen.
According to new information gleaned from its investigation with the Secret Service and the Department of Justice, Target said Friday that criminals also took non-credit card related data for some 70 million individuals. This is information Target obtained from customers who, among other things, used a call center and offered their phone number or shopped online and provided an email address.
Some overlap exists between the 70 million individuals and the 40 million compromised credit and debit accounts, the company said.
The revelations mean more than 70 million people may have had their data stolen. And when the company releases a final tally, the theft could become the largest data breach on record for a retailer, surpassing an incident uncovered in 2007 that saw more than 90 million records pilfered from TJX Cos. Inc.
The latest developments come as Target said that just this week it was starting to see sales recover from the crisis. The company, however, cut its earnings outlook for the quarter that covers the crucial holiday season and warned that sales would be down for the period.
But with the latest news, some analysts believe the breach could be a financial drag on the company for several more quarters.
"This is going to linger like a black cloud over the company's financials for the first half of the year," said Brian S. Sozzi, CEO & chief equities strategist at Belus Capital Advisors.
Meanwhile, the Attorney General from New York announced that it is participating in an investigation into the security breach. Attorney General Eric T. Schneiderman called the latest news "deeply troubling."
Molly Snyder, a Target spokeswoman, told The Associated Press that the company had no new details to share about how the data breach was executed. The company has only said that the point-of sale system in its U.S. stores was compromised.
"I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this," said Gregg Steinhafel, Target chairman, president and CEO, in a statement.
Target investors have been largely unmoved by the company's disclosures. Target's stock, while volatile, has traded at about $63 since news of the breach leaked on Dec. 18. It slipped just 72 cents, or more than 1 percent, to $62.62 in trading Friday.
But some observers believe the stock could get battered if consumers stay away from Target stores. Several Wall Street analysts downgraded their earnings forecasts for the retailer on Friday.
Colleen McCarthy, 26, of Cleveland, Ohio, is among those who are avoiding Target. McCarthy used her Chase debit card at a local Target on the Friday after Thanksgiving and received a notice from Chase a few days after news of the breach first broke. The letter identified her as a potential victim of the Target breach but said, "don't worry." At the time, she was only somewhat concerned.
But Monday night McCarthy received a call from Chase, alerting her that someone tried to use her debit account twice in Michigan. The thief cleared $150, which caused her rent check to bounce. Chase restored the money to her account. "This has been a nightmare," she said. "My rent check bounced. My debit card had to be canceled. And who's to say what other people have access to my information?"
Target tried to woo scared shoppers back to stores on the last weekend before Christmas with a 10 percent discount on nearly everything in its stores. Target is also offering a year of free credit monitoring and identity theft protection to customers that shopped at its stores.
Still, some experts believe the company should do more.
"Target is in a critical situation with consumers because its credibility and brand loyalty are being questioned," said David E. Johnson, CEO of Strategic Vision, LLC, which specializes in crisis communications. "Right now, investors think Target can weather the storm. But the longer it gets worse, the worse it is for Target."
Johnson says Target needs to rebuild shoppers' trust. He believes Target needs to air TV commercials assuring them that it's safe to shop in its stores. It also should offer more incentives like deeper discounts to woo consumers, Johnson said.
Clearly, Target shoppers were scared off during the holiday season, when stores can make roughly 20 percent to 40 percent of their annual revenue.
The Minneapolis company also said that it now foresees fourth-quarter sales at stores open at least a year will be down about 2.5 percent. It previously predicted those sales would be about flat.
This figure is a closely-watched indicator of a retailer's health.
Target cautioned that its fourth-quarter financials may include charges related to the data breach. The chain said the costs tied to the breach may have a material adverse effect on its quarterly results as well as future periods.
The company has 1,921 stores, with 1,797 locations in the U.S. and 124 in Canada.
AP Business Writer Bree Fowler in New York contributed to this report.