Information on 70 million taken in Target data breach

Last month, Target said up to 40 million customers’ credit and debit card information was stolen.
Last month, Target said up to 40 million customers’ credit and debit card information was stolen. Joe Raedle/Getty Images

WASHINGTON — Target said Friday that the thieves who stole massive amounts of credit and debit card information during the holiday season also swept up names, addresses, and phone numbers of 70 million customers, information that could put victims at greater risk for identity theft.

Every bit of added data helps criminals develop more sophisticated tactics for either impersonating victims or luring them to give up more sensitive information, according to security experts.

‘‘These criminals are building up dossiers on individuals,’’ said Avivah Litan, a fraud and security analyst at Gartner, a research firm.

The Target breach already ranks as one of the worst ever. During the peak of holiday shopping last month, Target said that up to 40 million customers’ credit and debit card information had been stolen from people who shopped in stores from Nov. 27 to Dec. 15. On Friday, the company said a new group of 70 million customers — some of whom might also have had their card data stolen — have had their personal information compromised, as well.

The growing scandal has triggered at least two class-action lawsuits, drawn state and federal investigations, and damaged Target’s bottom line. Massachusetts Attorney General Martha Coakley joined the executive committee of a multistate group to investigate the breach. The company on Friday cut its fourth-quarter earnings forecast and said it expects sales to decline by 2.5 percent.


‘‘All the costs are going to eat up their profits,’’ said John Kindervag, an analyst with Forrester. ‘‘There’s going to be shareholder revolts. There’s going to be prosecutions. They’ve stepped in quicksand. It’s not going to be fun.’’

Affected customers will be sent an e-mail providing them with general security tips, said Target, adding that no personal information would be requested in the e-mail. The Minneapolis-based retailer is also offering one year of free credit monitoring and identity theft protection to all shoppers. Customers are not liable for any fraudulent charges made to their cards as a result of the breach, according to Target, which has also put a list of tips for shoppers on its website.


‘‘I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this,’’ Gregg Steinhafel, Target’s chairman, president, and chief executive, said in a statement.

Friday’s announcement is the result of an ongoing investigation into the security breach, Target said. The company is working with the Secret Service and the Department of Justice to determine who was behind the attack. Spokesmen at the Secret Service and the Justice Department declined to comment on the investigation.

Target’s problems reflect a crisis in how customer data is protected, analysts said.

‘‘It’s a little frightening. These bad guys are getting into some of the most secure retailers’ networks, and I’m sure it’s not going to stop at Target,’’ Litan said.