NEW YORK/BOSTON (Reuters) - The data breach at Target Corp over the holiday shopping season was far bigger than initially thought, the U.S. company said on Friday, as state prosecutors announced a nationwide probe into the second-biggest retail cyber attack on record.
Target said an investigation found that hackers stole the personal information of at least 70 million customers, including names, mailing addresses, telephone numbers and email addresses. Previously, the No. 3 U.S. retailer said the hackers stole data from 40 million credit and debit cards.
The two sets of numbers likely contained some overlap, but the extent was not clear, according to Target spokeswoman Molly Snyder. She said some of the victims did not shop at Target stores during the period of the breach, between November 27 and December 15, and that their personal information was stolen from a database.
"I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this," Target Chief Executive Gregg Steinhafel said in the statement on Friday.
Attorneys general from New York, Connecticut, Massachusetts and Minnesota said they were joining a nationwide probe into the security breach. A source familiar with the joint probe said more than 30 states were involved.
"A breach of this magnitude is extremely disconcerting and we are participating in a multi-state investigation to discover the circumstances that led to this breach," Massachusetts Attorney General Martha Coakley said.
Security experts said the stolen payment card data could be used to fabricate false magnetic strip credit cards. And the personal information could be sold on underground exchanges for use in email "phishing" campaigns, aimed at persuading victims to hand over even more sensitive information, such as bank account numbers.
"I think they still have no idea how big this is," said David Kennedy, a former U.S. Marine Corps cyber-intelligence analyst who runs his own consulting firm, TrustedSec LLC.
Target lowered its fourth-quarter profit forecast, in part due to weaker-than-expected sales since reports of the cyber-attack emerged in mid-December. Target shares closed down just over 1 percent to $62.62, hovering near a year-low.
The largest known breach at a U.S. retailer, uncovered in 2007, was at TJX Cos Inc, operator of the T.J. Maxx and Marshalls chains, where more than 90 million credit cards were stolen over about 18 months.
On Friday, Neiman Marcus revealed it too had been the victim of a security breach.
The high-end department store was informed by its credit-card processor in mid-December of possible unauthorized card activity that followed customer purchases at Neiman Marcus stores, spokeswoman Ginger Reeder said.
A subsequent investigation turned up evidence on January 1 of a "criminal cybersecurity intrusion" that may have compromised an unknown number of customers' cards, the company said.
Neiman Marcus, owned by the Canada Pension Plan Investment Board and private equity firm Ares Management LLC, is still investigating and said it did not know at this time how many customers may have been affected. Nor was it immediately clear whether it was linked to the Target incident.
Reports of fraudulent card charges have been growing since the Target breach was disclosed, said an executive at one major card issuer who asked not to be identified.
The full magnitude of the damage will not likely be known until later in January, when customers receive and examine their monthly statements and call their banks, the executive said. He added that, in past cases, it has taken 30 to 45 days for the vast majority of bad charges to surface.
Target and credit card issuers have said customers will have zero liability for the cost of any fraudulent charges.
Harlan Loeb, global chairman of the crisis and risk management practice at Edelman, said Target should have been more proactive in communicating with its customers. He thinks Target will have a tougher task containing the situation than TJX did.
"The game has changed so dramatically since 2007," Loeb said, citing "the dramatic escalation of information channels and the sophistication of hackers."
"The one thing that should be part of any crisis plan is the specter that you might have to be in communication with hundreds of thousands of customers instantly," Loeb said. "There was an element of that missing" in Target's case.
According to a Reuters/Ipsos poll, 40 percent of people who shopped at Target during the period of the data breach had not been notified about the incident. Thirty-one percent said they had been notified by Target and 28 percent said they had been notified by their bank or credit card company. The results represent 640 surveys conducted from January 2 to January 10, with a margin of error of plus or minus 4.5 percentage points.
In the wake of the Target breach, Senate Judiciary Committee Chairman Patrick Leahy introduced on Wednesday a new version of a 2005 bill that seeks to improve how companies protect consumer data from cyber thieves. It would set criminal penalties for intentional or willful concealing of a personal data breach that causes economic damage to consumers, and ensure that conspiring or attempting to commit computer fraud would face the same penalties as completed offenses.
"This is a terrible situation and it's upsetting to see that the scope of this breach is larger than first thought," said Senator Al Franken of Minnesota, who is one of three Democrats currently signed on to Leahy's bill as co-sponsors.
"Data breaches like this one, and past breaches such as at T.J. Maxx and Sony PlayStation, raise important questions about the responsibilities corporations have to protect consumer data and inform their customers when data have been compromised."
Senator Richard Blumenthal, a Connecticut Democrat, is also co-sponsoring the bill.
"Disclosures about Target's even broader breaches of customer information will rightly add alarm and anger. Now, more than ever, an FTC investigation is necessary - and should be publicly confirmed - so that consumers know their rights and interests are protected," Blumenthal said in a statement.
The Federal Trade Commission privacy spokesman declined to comment, saying the agency does not confirm or deny the existence of investigations.
Data breach laws are more specific on the state level and the FTC can only bring lawsuits under the FTC act against companies if they are deemed to not have protected the data properly.
On Friday, Target cut its fourth-quarter adjusted earnings forecast for U.S. operations to between $1.20 and $1.30 per share, down from $1.50 to $1.60. The Minneapolis-based company also forecast a 2.5 percent decline in fourth-quarter same-store sales. It had forecast flat sales.
Target expects full-year earnings per share to include charges related to the data breach, but said it could not estimate the costs.
Janney Capital Markets analyst David Strasser described Target's holiday sales report card as "dismal."
"We all knew it was going to be bad at Target, but it was the magnitude of decline that was unclear," he said. "Clearly, the first half of the fourth quarter was impacted by an aggressive holiday season across retail, but the credit card data breach had a significant impact post December 19.
"The key risk remains the time it takes for consumers to forgive Target. If this is like past breaches this should normalize as the year progresses," Strasser added.
Additional by Karen Freifeld and Jilian Mincer in New York, Alina Selyukh in Washington and Siddharth Cavale in Bangalore; Writing by Richard Valdmanis; Editing by Tiffany Wu, Jeffrey Benkoe and Leslie Adler