Target disclosed on Friday that a mass information breach involved data belonging to up to 70 million individuals –a number far more extensive than originally believed.
The big box retailer said that a probe into the hacking of customers’ personal data found that stolen information–separate from payment information already reported–included names, mailing addresses, phone numbers or email addresses for tens of millions. The new figure was significantly higher than the 40 million the company initially reported.
Although Target previously stated the breach wouldn’t compromise card holders’ accounts, the dramatic rise in the number of people affected called that assumption into question.
Experts say thieves may find a way to manipulate sensitive data to withdraw money from card holder accounts, or make other unauthorized transactions. In the wake of the mass theft, the retailer vigorously disputed reports that personal identification numbers (PINs) had been compromised.
“The unfortunate part about this, the part we can’t escape, is that once the information is gone, it’s gone,” Paul Viollis, CEO of Risk Control Strategies, told CNBC in an interview. “The consumer is going to have to monitor on a monthly basis not only their credit card statement, but from their credit bureau as well.”
Regardless of that vigilance, the compromised data “is going to lead the criminal to where the people live, how many homes they have, where they travel to, what they buy, and that whole pattern of whether that person is affluent or not,” Viollis added.
Target has struggled to manage the fallout of the stolen data, which was hacked from the company’s cash registers between late November and early December. The snafu impacted the ability of millions of Americans to withdraw money and make purchases on their bank and credit cards ahead of the critical holiday shopping season.
“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” said Gregg Steinhafel, Target’s president and CEO, in a statement. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”
The company said that is clients would have “zero liability” for costs incurred by fraudulent charges. Additionally, it promised to provide a year of free credit monitoring and identity theft protection to all consumers who shopped at Target locations.
As a result of weaker sales in the wake of the data breach, the third largest U.S. retailer also cut its fourth-quarter adjusted earnings per share (EPS) forecast for its U.S. operations to $1.20 to $1.30, from $1.50 to $1.60.
Target’s stock, traded on the New York Stock Exchange, was last down by 60 cents in choppy pre-market trading.
More from CNBC