Target's data breach over the crucial holiday selling season was even worse than expected. Up to an additional 70 million customers had their personal information stolen in the breach, bringing the total potentially affected up to 110 million, the retailer said Friday.
Target announced last month that encrypted personal identification numbers were stolen for up to 40 million credit and debit cards in the breach. Now its investigation finds "that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals."
"I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this," Target CEO Gregg Steinhafel said in a press release.
Along with the encrypted PIN data, Target previously said that data thieves stole customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on the back of cards used at Target between Nov. 27 and Dec. 15.
There may be overlap in customers who had both personal identification information stolen as well as credit and debit card data, but Target doesn't know to what extent, says spokesperson Molly Snyder.
News of the additional stolen data brings the total number of potential customers affected up to 110 million, and may increase the threat of identity theft, says Greg McBride, senior financial analyst at Bankrate.com.
"For somebody to actually go out and open credit in your name, it's pretty tough to do if they don't have your social (security number)," he says. "But if they have your social and have all this other stuff too, it compounds the problem."
Customers involved are also at greater risk of being targeted by email scams, he says.
To give "peace of mind," the Minneapolis-based retailer will offer free credit monitoring and identity theft protection to all its customers, with an opportunity to enroll over the next three months.
Target shares were down 1.2% to $62.56 in afternoon trading.
For Target customers who had their information stolen, the incident has meant hours spent speaking with banking customer service representatives, having to close accounts, be issued new credit and debit cards - and updating online accounts with the new information - and file identity theft reports.
Karen Raper, 46, from Lula, Ga., spent two hours talking to her bank on Christmas Eve after it notified her of suspicious activity showing up on her account from Ohio. Raper had shopped at Target on Black Friday, buying a camera for her daughter. Fifth Third Bank closed her account, will refund her the $300 that was charged and issue her a new card. But Raper says she's reluctant to head back to Target.
Kim Thompson, 39, says the situation makes her "angry, frustrated and concerned." Thompson, from Memphis, used her debit card to purchase groceries at Target at the beginning of December. She says she'll continue to shop there because it's convenient, but that she'll only use cash.
"This is a lesson to just sort of all of us to be constantly monitoring your accounts for unauthorized transactions," McBride says. "Because you have no liability as long as you report that to your financial institution."
Others are put off by a seeming lack of communication from Target. Those interviewed by USA TODAY say the first time they heard their information was compromised was, in most cases, from their bank, not the retailer.
"If Target does anything, it just seems like I have to either look it up or hear about it second hand," says Jackie Chavez, 40.
Chavez, from El Paso, shopped at Target on Black Friday and found out after Christmas from her bank that there was suspicious activity on her account.
Target emailed customers it thought were affected, and for whom it had email addresses, in the days after the breach was first announced Dec. 19. Snyder says that amounted to "millions of emails." It will do the same for the additional customers it's now found to be involved. The company also created a dedicated page on its website for the data breach, including resources about identity theft and credit reports.
The most recent announcement about the breach comes amid news of an unsuccessful holiday season for retailers and follows other disappointments at Target. Target lowered its fourth quarter guidance Friday, expecting a comparable store sales decline of 2.5%. It previously said sales would be flat.
Target also revealed at the end of December that some gift cards sold during the holidays weren't fully activated, but that it would still honor the faulty cards.
The retailer will close eight stores in May. The stores are in West Dundee, Ill.; Las Vegas, Nev.; North Las Vegas, Nev.; Duluth, Ga.; Memphis, Tenn.; Orange Park, Fla.; Middletown, Ohio; and Trotwood, Ohio.
"When your information is compromised, it puts you at greater risk of identity theft and other types of fraud," Cooper cautioned. "This is a wake up call to take action to protect yourself now," said North Carolina State Attorney General Roy Cooper
Here's some tips from North Carolina Department of Justice:
Target has said that it plans to offer a year of free credit monitoring and identity theft protection to anyone who shopped in Target stores in the United States. Cooper recommends that consumers take the following steps as well:
• Check your credit and debit card accounts and report suspicious charges to your bank or credit card company immediately. Also, request a new card with a different number and change any PINs or passwords for the affected account.
• Check your credit reports. Once criminals have your personal information, they may use it to open new accounts in your name. Everyone is allowed a free credit report per year from each of the three credit bureaus. Breach victims can also request a fraud alert from one of credit bureaus, and should consider a security freeze for maximum protection.
• Be on guard for calls, emails, texts or social media posts seeking your personal information or money. Scammers may pretend to be with your bank, utility, legitimate companies or government agencies, and if they already have some of your personal information they can seem more convincing. Do not fall for it.