UPDATE: The latest on Target’s Black Friday data breach plunged the incident to uglier depths.
The giant Minneapolis-based retailer today revealed new details culled from a forensic investigation that the attackers not only stole credit and debit card information, but also names, mailing addresses, phone numbers and email addresses impacting another 70 million individuals. Initially, Target reported losing only magnetic strip data on 40 million payment cards.
“Today we are sharing that, as the result of the data breach, it has been confirmed that the partial personal information for up to 70 million individuals was also stolen. These are two distinct groups and are not linked,” Target manager of public relations Molly Snyder told Threatpost over email this afternoon. “While there may some overlap between the two groups (the 40 million and the 70 million) but we don’t know to what extent at this time.”
Target said it will be contacting affected customers by email.
“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” said Gregg Steinhafel, chairman, president and chief executive officer, Target in a statement. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”
Target said it is offering individuals who shopped at its U.S. locations one year of free credit monitoring and identity theft protection.
Target’s most recent announcement also accompanied an update to its fourth quarter financial outlook; the company announced it will miss Wall Street projections significantly, perhaps by as much as $.40, and projects a sales decline of 2.5 percent. Target’s initial guidance was flat.
The announcement said fourth quarter sales were on an upward track prior to the breach announcement on Dec. 18; hackers reportedly had access to Target systems from Nov. 27, the day before Thanksgiving, to Dec. 15, the peak of the holiday shopping season. Post breach announcement, Target’s release today said sales were “meaningfully weaker than expected,” and it expects a sales decline of 2 percent to 6 percent for the remainder of Q4.
Target has provided a number of updates since the initial breach announcement, each one refuting a previous claim or informing customers that the scope of the breach had worsened.
Soon after the initial announcement which said only track data was stolen, Target amended that with an announcement that hackers had also made off with encrypted PIN data. Target assured customers the PINs were safe, but security experts cautioned that despite the use of 3DES encryption, there were still ways that determined, resourced hackers could decrypt the information and begin to clone ATM cards, for example.
Target said PIN data is encrypted at the point of sale terminal and decrypted only at its payment processor. The key, Target said, is not stored with the retailer and is never sent in transit with the PIN data. Experts told Threatpost that the PIN data is likely secure unless hackers get access to the key or the machine storing the key.
“Most people object to 3DES because it’s an ancient algorithm that was designed as a patch for (now broken) DES until AES was finalized,” said Matthew Green, a cryptographer and professor at Johns Hopkins University. “Now we’ve had AES for more than a decade, it’s questionable why we’d be using 3DES.”
The Payment Card Industry Data Security Standard (PCI-DSS), which governs how retailers secure payment card data and transactions, mandates unique keys for every payment terminal, limiting the scale of risk brought by the breach, experts said. That of course assumes Target is PCI compliant.
This article was updated at 3:30 p.m. ET with clarification and comment from Target.