Story Summary

70 Million Had Personal Information Stolen in Target Breach

Shoppers who used credit cards or debit cards at Target between Nov. 27 and Dec. 15, 2013, may have been hacked, the retailer said. The number of customers who had their personal information stolen was upped from 40 million to 70 million, according to Target.

Story Timeline
Previous Next
This story has 5 updates

The data breach at Target stores could be affecting many more people than originally stated.

target store

The exterior of a Target store is seen in this file photo. (Credit: KTLA)

Target released a statement on Friday, which said that up to 70 million customers had their personal information stolen.

Investigators determined that the names, mailing addresses, phone numbers or email addresses of these individuals were stolen, according to the statement.

In December, the retailer had announced that as many as 40 million customers were affected, and that credit and debit card numbers and encrypted PIN data were stolen between Nov. 27 and Dec. 15.

The U.S. Secret Service and the Department of Justice were investigating the breach.

The nation’s third-largest retailer, Target faces multiple class-action lawsuits over the hack.

Below is Target’s updated statement about the breach, which was released on Friday, Jan. 10, 2014:

As part of Target’s ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach.

This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.

Much of this data is partial in nature, but in cases where Target has an email address, the Company will attempt to contact affected guests.  This communication will be informational, including tips to guard against consumer scams. Target will not ask those guests to provide any personal information as part of that communication. In addition, guests can find the tips on our website.

“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” said Gregg Steinhafel, chairman, president and chief executive officer, Target. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”

Guests will have zero liability for the cost of any fraudulent charges arising from the breach. To provide further peace of mind, Target is offering one year of free credit monitoring and identity theft protection to all guests who shopped our U.S. stores. Guests will have three months to enroll in the program. Additional details will be shared next week. To learn more, please go to target.com/databreach.

A day after denying a report that PIN data was stolen during a pre-holiday security breach that affected some 40 million customers, Target confirmed Friday that the data had indeed been “removed.”

target-filephoto

File photo. (Credit: CNN)

Reuters had reported Thursday that personal identification numbers were stolen amid a hack that compromised information for those that used credit or debit cards during the period from Nov. 27 to Dec. 15.

Up to 40 million cards could have been affected.

A Target spokeswoman had told Reuters in a story published Thursday that “no unencrypted PIN data was accessed” and there was no evidence that PIN data has been “compromised,” confirming only that some encrypted data was stolen.

Then, on Friday, the Minneapolis-based retailer issued a statement confirming PINs were stolen, but seeking to downplay the impact.

Below is the statement in full:

Our investigation into the data breach incident is continuing and ongoing. While we are still in the early stages of this criminal and forensic investigation, we continue to be committed to sharing the facts as they are confirmed.

While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed. We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.

To help explain this, we want to provide more context on how the encryption process works. When a guest uses a debit card in our stores and enters a PIN, the PIN is encrypted at the keypad with what is known as Triple DES. Triple DES encryption is a highly secure encryption standard used broadly throughout the U.S.  

Target does not have access to nor does it store the encryption key within our system. The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the “key” necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.

The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken.

Target created a web page for customers to get information about the breach to ensure that customers were getting correct information directly from the retailer and would not be subject to phishing scams.

The U.S. Secret Service and the Department of Justice are investigating the breach.

Target and banks have assured customers they will not be responsible for fraudulent activity on their accounts, but advised those affected to closely monitor purchases on their account statements.

The nation’s third-largest retailer, Target faces multiple class-action lawsuits over the hack.

The discount retailer Target issued an apology Thursday and said it was working with a forensics firm to investigate a security breach that may have compromised the personal data of 40 million customers.

TARGET-STORE-FRONT

(Credit: CNN)

The unauthorized access may affect shoppers who made credit or debit card purchases at Target’s U.S. stores between Nov. 27 and Dec. 15, 2013, according to a statement released by the retailer.

Hackers reportedly stole information including customer names, card numbers, expiration dates CVVs (three-digit codes).

Related: What do to if you think you could be a victim of Target data breach

Target, which operates 1,797 stores nationwide, said it was partnering with the forensics firm to conduct an investigation and prevent a similar breach from happening again.

“Additionally, Target alerted authorities and financial institutions immediately after we discovered and confirmed the unauthorized access, and we are putting our full resources behind these efforts,” the statement said.

The Secret Service was investigating the incident, spokesman Brian Leary confirmed on Wednesday.

Meanwhile, in its detailed statement, Target urged customers who made card purchases at the stores during the affected period to examine their bank and credit card statements carefully.

At a Target location in West Hollywood, shoppers reacted to news of the data theft.

“I just deal with cash now. That’s the safest way to go about shopping, for me anyway,” said Alex Gonzalez.

Target told customers who have been victims of fraud related to the security breach to call their banks and the Minneapolis-based chain at 866-852-8680.

Target also recommended reporting identity theft to the Federal Trade Commission on the FTC website or at 877-438-4338.

The CNNMoney staff contributed to this report.

NEW YORK — As many as 40 million Target shoppers who hit stores in the three weeks after Thanksgiving had their credit and debit card information stolen.

If you’ve visited a Target over the past several weeks, there are a four steps you should take immediately to protect yourself.

TARGET-STORE-FRONT

(Credit: CNN)

1) Check your statement. It may seem obvious, but the first step you should take is looking for any charges you don’t recognize on your statement.

Don’t just look for large charges, either. Hackers often ping an account with micropayments of only a few cents to check the viability of the account. So if you see purchases of 6 cents or 11 cents, that could be a sign your information has been compromised.

2) Call your credit card company, bank and Target. Credit card companies generally offer customers fraud monitoring services at no cost, and customers aren’t on the hook for any fraudulent charges. Typically, the card issuer or the merchant is responsible for those costs.

But don’t wait for your card company or bank to call you. Let them know you’ve shopped at Target recently. All you have to do is call the number on the back of your card.

Target has also set up a phone line for customers who suspect there has been unauthorized activity on their accounts. Shoppers can call 866-852-8680.

3) Replace your credit card, change your PIN. If the bank didn’t already do this for you, do it yourself. This will put an end to any more fake charges.

Once you receive your replacement card, make sure to update your new card information with any companies that have your account on file for automatic payments or monthly fees, like your Apple iTunes account or cable provider.

4) Sign up for a fraud monitoring service. If you’re concerned about credit card theft going forward, LifeLock and other similar threat detection services claim that they can monitor your card activities and alert you when your account has gotten into the wrong hands. Most credit card companies offer similar services for free, but threat detection services say they go above and beyond, including offering protection of credit card information on the Internet and even lost-wallet insurance.

The Secret Service was investigating a possible data breach involving millions of shoppers using credit and debit cards at Target stores across the country.

target-slide

Possible data breach being investigated at Target stores. (Credit: KTLA)

Secret Service spokesman Brian Leary confirmed the investigation to CNN on Wednesday, but declined to comment further.

A report from security researcher Brian Krebs states that Target suffered a data breach around Black Friday “potentially involving millions of customer credit and debit card records.”

The Secret Service would not elaborate of the type of breach, but Krebs reported it may have involved the machines used to swipe shoppers’ cards.

Those potentially affected were in-store customers, not online shoppers.

CNN contributed to this report.

Advertisement