Nationwide retail giant Target today disclosed that a data breach discovered last month exposed the names, mailing addresses, phone number and email addresses for up to 70 million individuals.
The disclosure comes roughly three weeks after the company acknowledged that hackers had broken in late last year and stolen approximately 40 million customer debit and credit card records.
“As part of Target’s ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach,” the company said in a statement released Friday morning. “This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.”
Target said much of the data is partial in nature, but that in cases where Target has an email address, it will attempt to contact affected guests with informational tips to guard against consumer scams. The retail giant was quick to note that its email communications would not ask customers to provide any personal information as part of that communication.
Target Chairman Gregg Steinhafel apologized for any inconvenience that the breach may have caused customers, and said he wanted customers to know that “understanding and sharing the facts related to this incident is important to me and the entire Target team.”
Nevertheless, the company still has not disclosed any details about how the attackers broke in. This lack of communication appears to have spooked many folks responsible for defending other retailers from such attacks, according to numerous interviews conducted by this reporter over the past few weeks.
This latest disclosure also raises questions about what other types of information may have been jeopardized in this data breach. As part of its statement, Target said it would be offering a year’s worth of free credit monitoring services to those affected. Target does collect Social Security numbers from customers who apply for Target Red Cards, which offer applicants 5 percent cash back if they agree to tie their debit accounts to the Red Card. So far, however, Target has not said anything about compromised Social Security numbers.
Reading between the lines, one might wonder why Target is providing credit monitoring services to those hit by what is essentially a credit card breach. Many people conflate credit card fraud with identity theft, but these are two very different problems. The former is quite easy for the consumer to resolve, and he or she has very little (if any) liability for fraud. Identity theft, on the other hand, generally involves the creation of new or synthetic lines of credit in the consumer’s name, which can take many years and cost thousands of dollars to resolve.
The reason Target is offering ID theft protection as a result of this breach probably has more to do with the fact that this step has become part of the playbook for companies which suffer a data breach. Since most consumers confuse credit card fraud with ID theft, many will interpret that to mean that the breached entity is somehow addressing the problem, whereas experts tell me that this offer mainly serves as a kind of “first response” to help the breached entity weather initial public outrage over an intrusion.
Update, 1:07 p.m. ET: Added additional perspective on this announcement.