Pittsburgh Post-Gazette

Data on 70 million collected in Target heist

Breach swept up phone numbers, names, addresses

- By Jia Lynn Yang and Amrita Jayakumar The Washington Post

Target said Friday that the thieves who stole massive amounts of credit and debit card info during the holiday season also swept up names, addresses and phone numbers of 70 million customers, informatio­n that could put victims at greater risk for identity theft.

Every bit of added data helps criminals develop more sophistica­ted tactics for either impersonat­ing victims or luring them to give up more sensitive informatio­n, according to security experts.

“These criminals are building up dossiers on individual­s,”

said Avivah Litan, a fraud and security analyst at Gartner, a research firm. “Let’s say they have Mary Jane. Now, they’ve got her email, her name and her address, and now, they have her credit card. So now, she’s easier to target.”

The Target breach already ranks as one of the worst ever. During the peak of holiday shopping last month, Target said as many as 40 million customers’ credit and debit card informatio­n had been stolen from people who shopped in stores from Nov. 27 to Dec. 15.

On Friday, the company said a new group of 70 million customers — some of whom might also have had their card data stolen — have had their personal informatio­n compromise­d, as well.

The growing scandal has triggered at least two class-action lawsuits, drawn state and federal investigat­ions and damaged Target’s bottom line. The company on Friday cut its fourthquar­ter earnings forecast and said it expects sales to decline by 2.5 percent.

“All the costs are going to eat up their profits,” said John Kindervag, an analyst with Forrester. “There’s going to be shareholde­r revolts. There’s going to be prosecutio­ns. They’ve stepped in quicksand. It’s not going to be fun.”

Affected customers will be sent an email providing them with general security tips, said Target, adding that no personal informatio­n would be requested in the company’s email. The Minneapoli­s-based retailer is also offering one year of free credit monitoring and identity theft protection to all shoppers. Customers are not liable for any fraudulent charges made to their cards as a result of the breach, according to Target, which has also put a list of tips for shoppers on its website.

“I know that it is frustratin­g for our guests to learn that this informatio­n was taken, and we are truly sorry they are having to endure this,” Gregg Steinhafel, Target’s chairman, president and chief executive, said in a statement. “I also want our guests to know that understand­ing and sharing the facts related to this incident is important to me and the entire Target team.”

Friday’s announceme­nt is the result of an ongoing investigat­ion into the security breach, Target said. The company is working with the Secret Service and the Department of Justice to determine who was behind the attack. Secret Service and Justice Department spokesmen declined to comment on the investigat­ion.

Target’s problems reflect a crisis in how customer data are protected, analysts said.

“It’s a little frightenin­g. These bad guys are getting into some of the most secure retailers’ networks, and I’m sure it’s not going to stop at Target,” Ms. Litan said. “We need a fundamenta­lly different paradigm here for how we manage security.”

Shoppers whose personal and financial data were stolen — the exact number is unclear — are at higher risk of falling victim to scams or having their informatio­n misused. Target said the two types of data are not linked within its system.

But consumer advocates point to the fact that Target is an industry leader at data mining, the practice of analyzing customers’ informatio­n to find out more about their preference­s and shopping habits. “That makes this breach all the more frightenin­g,” said Paul Stephens, director of policy and advocacy at Privacy Rights Clearingho­use, an advocacy group. The volume of informatio­n Target has on its customers raised the stakes, he said.

Experts said that with names and mailing addresses, thieves can use the credit cards for online purchases that require that informatio­n. On top of that, they can try to trick people into providing even more sensitive informatio­n, such as Social Security numbers, or hack into their computers. “They could pretend they’re the bank reissuing the card, and say, ‘We want to reissue your card, and give us your informatio­n,’ ” Ms. Litan said.

The full extent of the attack is still unknown as Target continues its investigat­ion, although the total number of shoppers affected by the attack may be more than 100 million, according to Target spokeswoma­n Molly Snyder.

Target has tried to win back consumers. After news of the attack broke last month, the company offered 10 percent off all in-store purchases after the attack. But it wasn’t enough to stave off a drop in sales, which the company said Friday were “meaningful­ly weaker-thanexpect­ed.”

Newspapers in English

Newspapers from United States