Target has issued an update on a holiday-season data breach and says the debacle affected up to 70 million individuals, the company reported on Jan. 10.
The retailer has been conducting a forensic investigation and discovered that additional customer information was stolen during the breach beyond what the company previously reported. The incident took place between Nov. 27 and Dec. 15.
What to Do: Cancel affected credit cards. Educate employees about securing sensitive data. Conduct security risk assessments. Reset users’ passwords for online accounts. Stay current with software security updates. Encrypt data.
Target will send data security tips to customers that have provided email addresses.
“I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this,” Gregg Steinhafel, Target’s chairman and CEO, said in a statement. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”
The company will offer customers a free year of credit monitoring and identify theft protection.
“In light of the recent data breach, our top priority is taking care of our guests and helping them feel confident in shopping at Target,” John Mulligan, Target’s executive vice president and CFO, said in a statement. “At the same time, we remain keenly focused on driving profitable top-line growth and investing our resources to deliver superior financial results over time.
The company reported that sales have been weaker than expected since the data breach announcement on Dec. 19. At that time the company announced that the breach had affected about 40 million credit and debit card announcements, about 30 million below the current estimate.
The company cut its fourth-quarter adjusted earnings forecast for its U.S. business to $1.20 to $1.30 per share from $1.50 to $1.60.
“While we are disappointed in our 2013 performance, we continue to manage our business with great discipline and leverage our expense optimization efforts to reinvest in multichannel initiatives that generate long-term value for our shareholders.”
Target did not have additional comment beyond its Jan. 10 press release.
New York State Attorney General Eric T. Schneiderman has joined a national investigation into the breach.
“The news that Target has discovered a breach involving 70 million customers is deeply troubling,” Schneiderman said in a statement. “Consumers in New York and around the country expect and deserve companies that protect their personal information when they shop on their Websites and in their stores.”
Data from the Target breach is flooding underground markets, according to security blog KrebsonSecurity. Card shops are selling the stolen information in data dumps and pulling the data from the cards’ magnetic strips, noted computer security expert Brian Krebs in a blog post..
“While it is not public information as to exactly how the POS system at Target became infected with malware, this data breach highlights the fact that vulnerabilities exist in every system,” Doug Pollack, chief strategy and marketing officer at ID Experts, a data-security firm, told CruxialCIO in an email.
To protect against data breaches such as the one at Target, CIOs should conduct security risk analyses and spot key threat vectors, he advised.
“Unfortunately this isn’t the first time, and is unlikely to be the last, that hackers have targeted retail payment infrastructure,” Pollack said.