Target breach worse than thought; states launch joint probe
By Dhanya Skariachan and Jim Finkle
NEW YORK/BOSTON (Reuters) - The data breach at Target Corp over the holiday shopping season was far bigger than initially thought, the U.S. company said on Friday, as state prosecutors announced a nationwide probe into the second-biggest retail cyber attack on record.
Target said an investigation found that hackers stole the personal information of at least 70 million customers, including names, mailing addresses, telephone numbers and email addresses. Previously, the No. 3 U.S. retailer said the hackers stole data from 40 million credit and debit cards.
The two sets of numbers likely contained some overlap, but the extent was not clear, according to Target spokeswoman Molly Snyder. She said some of the victims did not shop at Target stores during the period of the breach, between November 27 and December 15, and that their personal information was stolen from a database.
"I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this," Target Chief Executive Gregg Steinhafel said in the statement on Friday.
Attorneys general from New York, Connecticut, Massachusetts and Minnesota said they were joining a nationwide probe into the security breach. A source familiar with the joint probe said more than 30 states were involved.
"A breach of this magnitude is extremely disconcerting and we are participating in a multi-state investigation to discover the circumstances that led to this breach," Massachusetts Attorney General Martha Coakley said.
Security experts said the stolen payment card data could be used to fabricate false magnetic strip credit cards. And the personal information could be sold on underground exchanges for use in email "phishing" campaigns, aimed at persuading victims to hand over even more sensitive information, such as bank account numbers.
"I think they still have no idea how big this is," said David Kennedy, a former U.S. Marine Corps cyber-intelligence analyst who runs his own consulting firm, TrustedSec LLC. Continued...