Target revealed last week that its pre-Christmas security breach was much worse than thought. Instead of some 40 million credit and debit card accounts, 70 million to 110 million were affected.
Target said Friday that its ongoing investigation found information from at least 70 million consumers, apart from the 40 million payment card accounts previously disclosed, was stolen during the data breach. It said this is not a new breach and there may be some overlap between the two groups.
Also, even more personal data — including phone numbers as well as e-mail and mailing addresses — were stolen. Initially, hackers were believed to have taken just payment card data: names, card numbers, card expiration dates, debit-card PINs and the embedded code on the magnetic strip on the back of cards.
The ongoing investigation showed that much of the data was partial in nature. Advice will be send to consumers with possibly stolen e-mail addresses to guard against consumer scams.
"I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this," said Gregg Steinhafel, chairman, president and CEO, Target, in another apology that was printed, among other places, in a full page ad in the New York Times this morning.
Target shaved its fourth-quarter earnings guidance with comps now expected to decline 2.5 percent in the period, down from prior guidance of flat comps. Stronger-than-expected sales prior to the Dec. 19 breach revelation were followed by "meaningfully weaker-than-expected sales since the announcement, which have shown improvement in the last several days."
The new breach disclosures led to another round of widespread negative media coverage and security warnings. Target still hasn't explained how hackers accessed the data.
Although some felt Target was being as forthcoming and reassuring as possible, some felt more steps, such as TV commercials, would be necessary to regain shoppers' trust. Beyond apologies, Target offered a 10 percent discount the last weekend before Christmas as well as free credit monitoring and identity theft protection.
"Target is in a critical situation with consumers because its credibility and brand loyalty are being questioned,'' David Johnson, CEO of Strategic Vision, LLC, a crisis management firm, told the Associated Press.
Hemu Nigam, CEO of SSP Blue, a security consulting company, told the New York Times, "At this point they're really in that stage of having to showcase what they're doing to go forward."
Other stories explored what the deepening breach — estimated now to be bigger than TJX's 2007 breach — would mean for other retailers and shoppers' anxieties overall. A report Friday indicated Neiman Marcus was also investigating a similar data breach.
"It's 2014," Ken Stasiak, CEO of SecureState, told NBC News. "We expect retailers of this magnitude to have better security, weigh their risks and spend the resources necessary to secure their data."
Has Target been doing more or less than it should to communicate with shoppers over the data breach?