MINNEAPOLIS — Target Corp. said Friday that the thieves who accessed its data system from late November through mid-December also obtained personal information on 70 million customers, an exposure of data that's well beyond the financial information on 40 million people it initially reported.
The company said its ongoing investigation of the breach revealed that names, mailing addresses, phone numbers and email addresses were exposed, at least in partial form, to the hackers who accessed its data system.
The company also said it will close eight poorly performing stores in its 1,800-unit chain, the first time in recent memory it has shut down such a large number at once.
In announcing the new details, Target said “the theft is not a new breach” different from the original one. But spokeswoman Molly Snyder later said the possibility exists that the exposure of personal information involves different people from the financial one.
If so, as many as 110 million people had data stolen from Target's system from Nov. 27 to Dec. 15. The number is probably smaller, however, since the two groups probably overlap.
To date, little fraud has been reported related to the breach. But since it was initially announced Dec. 19, Target has twice been forced to acknowledge that more information got out than it thought. On Dec. 27, Target said that customers' PINs were exposed.
“I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this,” said Gregg Steinhafel, chairman, president and chief executive officer at Target. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”
In addition, the company revealed its own financial impact of the theft for the first time, saying that shoppers turned away from its stores after the incident was revealed on Dec. 19 and it expects lower sales and profits as a result.
Target said that customers would encounter “zero liability” from any damage they suffer due to the theft of Target's data. It offered to provide free credit monitoring and identity theft protection for customers for a year.
The data breach is one of the largest involving a U.S. corporation. Hackers inserted malicious software onto the point-of-sale terminals where Target customers swiped their credit and debit cards for payment at the end of a shopping excursion.
After it was revealed on Dec. 19, customers swamped the company with phone calls seeking details, politicians criticized the company, and the Justice Department launched an investigation. Some banks temporarily imposed limits on the amounts of money that could be withdrawn from accounts that people used to pay Target.
In its discussion of the financial impact, Target said that sales turned “meaningfully weaker” after the incident was revealed in mid-December. It lowered its outlook for fourth-quarter comparable sales revenue to a drop of 2.5 percent. It previously thought such sales would be unchanged from the year-earlier period.
Target also said it expects further charges against earnings for costs related to the breach but it could not now estimate their size.
Target said that it now expects its fourth-quarter profit to be in a range of $1.20 to $1.30 a share, down from its previous expectation of $1.50 to $1.60 a share.
In addition to the potential costs of the data breach, Target said its fourth quarter performance would be weakened by expenses related to closing eight stores, some real estate costs and some costs related to its massive expansion in the Canadian market this year, where it opened more than 100 stores.
Target is closing two stores in Nevada, two in Ohio, and one each in Florida, Georgia, Illinois and Tennessee.
Copyright 2014 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.