Other Shoe Drops in Target Customer Data Breach
Data thieves may have accessed a lot more Target customer information than originally thought, an investigation into the holiday breach revealed. Hackers apparently didn't stop with collecting credit and debit card data -- they got their hands on names, addresses, phone numbers and email addresses as well. Target has promised to send emails notifying customers of their potential exposure.
Jan 10, 2014 2:36 PM PT
The security breach that initially appeared to affect as many as 40 million customers may put many more at risk, Target revealed Friday.
In addition to accessing those customers' payment card data, hackers stole the names, mailing addresses, phone numbers or email addresses for up to 70 million people, according to the retailer.
Not a New Breach
The personal data theft is not a new breach; it was uncovered in the investigation of the payment card data heist, Target pointed out.
The company in December disclosed that hackers might have accessed as many as 40 million customer accounts between Nov. 27 and Dec. 15, during the busiest retail period of the year. Information associated with credit and debit cards used in Target stores during that time frame were put at risk. Online transactions were not affected.
Much of the additional data that might have been grabbed, based on the investigation's findings, was partial. However, Target will contact customers who may have been affected if it has an email address for them. The company will provide details about the breach, including information on how to avoid consumer scams.
Target assured customers that they will assume no liability for any fraudulent charges that might be incurred as a result of the breach. It is offering a year of free identity theft protection and credit monitoring to consumers who shopped at its U.S. stores. Customers have three months to register and can access more details about the program next week.
Along with the disclosure of updated breach data, Target issued updated guidance for its Q4 2013 financial performance. For the U.S. segment, it now anticipates earnings per share of US$1.20 to $1.30 for the quarter, down from previous guidance of $1.50 to $1.60. That relates to an expected sales dip of around 2.5 percent, whereas previous guidance suggested flat comparable sales.
Target updated its guidance based on stronger-than-expected sales prior to announcement of the breach on Dec. 19 and lower-than-expected sales since, even though sales have rebounded somewhat over the last few days. Target expects a comparable sales drop of between 2 and 6 percent for the rest of the quarter.
The firm was unable to update the expected generally accepted accounting principles (GAAP) EPS, though it expects 5-10 cents of dilution linked to store closures, real estate impairments, and similar causes. It expects around 45 cents of dilution linked to the Canadian arm of the business, compared with previous guidance of 22-32 cents.
The GAAP EPS for the quarter might include charges related to the breach, Target noted. It's unable to provide estimates of the related costs, which may include liability payments to credit card firms; civil lawsuits; government investigations and enforcement; legal, consulting, and investigative fees; and any investments for remediation.
These potential costs, Target noted, may affect results both for the quarter and the future.
The extent of the hack is "really a game changer in many respects," Aaron Titus, chief privacy officer with Identity Finder, told the E-Commerce Times.
"Addresses and email addresses and phone numbers are not on your credit card. This points to a much wider breach than I think we were originally anticipating, technologically and in sheer numbers," Titus said.
"Typically, the database holding credit card numbers and the database holding email addresses are separate from one another. Either there was a database where credit card data and customer names, phone numbers and email addresses were all held together -- if that's the case, that's a very bad practice -- or it means that two separate databases were compromised," he conjectured.
"Each of those scenarios has implications, none of which are good," Titus continued. "I hope it was two separate systems that were hacked. Though if that's the case, the question arises: How were separate systems hacked, and what does that say about Target's overall corporate security?"
Titus used his credit card after the initial news of the breach, based on the understanding that the systems had rarely been as secure as they were at that point. The latest revelations, which suggest a much wider breach, really are "a kick in the gut, for me as a Target customer," he said.
Target is now surely focused on shoring up its defenses to avoid similar occurrences in the future.
'Stronger Audit Systems'
"Putting in stronger audit systems is job one -- to try and detect data infiltration," Dave Jevans, chief technology officer and founder of Marble Security, told the E-Commerce Times.
" I think these days pretty much everyone is coming around to that position: that someone is going to break in at some point, and you've got to be able to detect when that data's leaving the network," he said.
"My recommendation on these types of systems is increasingly becoming that archived data should not be left online and should be deleted or air gapped," Jevans continued.
"There's no reason you need 70 million credit cards and people's information accessible over an Internet-connected system. People leave that stuff around because they're lazy. It's too hard to delete it," he said. "There's no way they need more than half a million people's data online for repeat shoppers."