Add personal information such as names, phone numbers and email addresses to the list of information stolen from customers in the recent Target data breach, one of the worst in U.S. retail history.
Target announced on Friday morning that it now believes up to 70 million of its customers had personal info such as home addresses, email addresses and phone numbers stolen during the holiday season incident. The company had originally said 40 million customers may have been affected and that stolen data was limited to credit and debit card data.
The company also said that the theft of personal information was not limited to customers who shopped at a Target store over the holiday period. Any person who has ever shopped at a U.S. Target store could have been affected.
Target spokeswoman Molly Snyder told Re/code it was not immediately clear how many of the 70 million newly discovered affected customers overlap with the 40 million it first discovered. In other words, the total number of Target customers affected could be more than 70 million, though likely less than 110 million. But Target can not yet assess the total damage as it continues to investigate.
“As part of Target’s ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken from Target,” the update reads. “This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.”
Target customers will have access to a year of free credit monitoring, and the company said today it will also make available a free year of identity theft protection for all of its customers. It said it will announce details on these plans next week.
In response to the breach, banks such as Chase have lowered some customers’ debit withdrawal and spending limits to contain their own exposure to fraud.
It’s still not clear how the data thieves were able to get access to all of this data. Some security experts have suggested a malware attack that could have infiltrated Target via an employee’s email inbox, while others wondered if a piece of Target’s in-store point-of-sale system could have been compromised.
The company also announced on Friday that it was lowering its financial performance expectations for the quarter and said it would be closing eight of its stores permanently in May, including two in Las Vegas.