Target's data breach: It gets worse

Target's data breach: It gets worse

Summary: Target said names, email addresses and other data was stolen and could affect up to 70 million customers. This disclosure comes on top of a payment card breach outlined in December.

SHARE:
TOPICS: Security, CXO, E-Commerce
82

Target said Friday that names, mailing addresses, phone numbers and email addresses for up to 70 million people were also stolen along with payment card data.

The disclosure---the latest round of bad news for Target customers---comes as the retailer continues to investigate the loss off previously disclosed payment card data. Target first disclosed the data breach affecting 40 million consumers in mid-December.

According to the retailer, the latest disclosure doesn't represent a new breach, but was revealed as part of its first investigation.

Target added that a lot of the data is partial, but the retailer will contact those who had email addresses taken.

CEO Gregg Steinhafel, who has a security crisis that isn't going away easily, said in a statement:

I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this. I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.

While the fallout from the breach is tough to measure, Target did say that its fourth quarter same store sales will fall 2.5 percent compared to a prior expectation of flattish sales.

The company also said that fourth quarter REDcard penetration---Target's loyalty, credit and debit card---was in line with year-to-date trends before the data breach. Since the breach was disclosed "growth has moderated" but REDcard penetration is stronger than a year ago.

Target said it expects fourth quarter earnings of $1.20 a share to $1.30 a share, down from its previous outlook of $1.50 a share to $1.60 a share. Target also said it plans to close eight stores.

The company added that the fourth quarter may include charges from its data breach, but couldn't get specific.

According to the company:

At this time, the Company is not able to estimate the costs, or a range of costs, related to the data breach. Costs may include liabilities to payment card networks for reimbursements of credit card fraud and card reissuance costs, liabilities related to REDcard fraud and card re-issuance, liabilities from civil litigation, governmental investigations and enforcement proceedings, expenses for legal, investigative and consulting fees, and incremental expenses and capital investments for remediation activities. These costs may have a material adverse effect on Target’s results of operations in fourth quarter 2013 and/or future periods.

Topics: Security, CXO, E-Commerce

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

82 comments
Log in or register to join the discussion
  • Security?

    Were there no security measures in place to prevent the breach? Was something overlooked or shortcuts taken? I hope the irresponsible parties in IT loose their jobs over this!
    sinkingsand
    • It's the CEO who made the decision that violated federal law

      It's the CEO who should lose his job and be prosecuted. He seriously violated federal law by making the decision to cover up the breach until after the holiday season. A crime that has affected millions of people. Unfortunately the people responsible for this kind of thing are seldom the ones who have to pay for their actions. It's usually some poor schmuck following the CEO's orders who gets tagged for the wrap. Oligarchy rules...
      BeyondCom
      • BeyondCom jumping to conclusions w/o having facts?

        What evidence do you have that the CEO violated federal law, or actually covered up the breach? I have not seen that evidence yet. If he did, there will be repercussions. But to flat out state this is the truth is really sticking your neck out.
        bttlk
        • From SUSE LINUX (until 2004) to Microsoft Virtualization...

          ... here's what Target got :

          http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000009407

          “We looked at VMware ESX Server in 2005, and part of the conversation was around the price of deployment,” says DeBrine. “Instead, Microsoft gave us everything we needed in a virtualization solution at lower cost. Given the pharmacy server experience, we knew Microsoft would be there for us, so we chose a Microsoft Virtualization solution as a key cost-optimization strategy for Target moving forward.”

          Yeah! Microsoft really gave them everything and looters too.
          MacBroderick
          • This is the high price of Windows ecosystem

            "Part of the decision to choose a Microsoft Virtualization solution came down to the powerful suite of server and desktop management tools from Microsoft that work with both virtual and physical environments. “We felt that Microsoft Virtualization technologies met the requirements we had in our stores at the most attractive price point,” says Thompson. “But we also liked where Microsoft was going with its System Center data center products for infrastructure management. Today, we use System Center products heavily to streamline how we manage and update more than 300,000 endpoints across our network: servers, virtual machines, mobile devices, PCs, and POS registers.” "

            http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000009407
            MacBroderick
          • Might not have had anything to do with it

            It is believed that POS terminals were the target. How the POS terminals were infected is still unclear. Since most POS terminals are Windows-based, it is not clear that the terminals were not already Windows before the switch from SUSE Linux on the server side. POS terminals must have access to cstomer info, since they must print receipts, etc. If the POS terminals are compromised, then there is no need to hack into the server. Until we know how the terminals were hacked, and more specifically how they transmitted the data to the hacker, we cannot know what can or cannot be blamed on server-side security. My guess is there was an insider who planted the initial compromised POS terminal.
            Jaybus
        • If a Bank or Hospital did this they would be fired.

          The persons at the Top must be responsible for what their people under him do and do not do.
          That is what they get the Big Bucks for.

          What you are saying since he did not know what was going on then he is innocent.

          They knew the Security of Personal Information was poor but it was up to industry standards.

          People look the other way because it cost money to fix or it just plan easier.
          tbooton@...
      • Holiday Season

        Ummmm, since when is Dec 15th after the holiday season? I changed my debt card before Christmas to make sure I was protected.

        Perhaps it was *I* who saw into the future? Wow, next I'll get the Powerball numbers!! woohoo!
        THavoc
      • It is too big to cover up.

        They wouldn't be able to cover it up. It's just too big to even try, plus we haven't gotten all the information in yet. I bet there is more to come with this mess. I just feel sorry for the costumer's that have to deal with this S#!t. Like what has happened to Bank of America the cost of a financial data breach can be astronomical. It cost the Bank of America approximately $10 million when an employee leaked customer information to an identity theft ring. Bank of America didn’t announce the breach to the public until the suspects had been arrested. The cost to Bank of America wasn’t only financial, customers lost trust in the bank. This wasn’t their only breach, and Bank of America is not an anomaly.
        barrett217
      • We should dump Microsoft

        This was another shameful example how insecure systems of 800 lbs Redmond Dollar Gorilla really are.
        Frankie1965
        • Target isn't the only one...

          Then dump Sony and Apple too. They've also had security problems in the past. No system is 100% secure. Everyone acts like Target is the first company to have stolen credit card data.
          oxHanoverxo
    • The purse strings are partly held by those people IT reports to...

      .. and you can be sure more money will be allocated to security going forward.
      Spatha@...
      • I wouldn't count on it

        The stores are still busy. They'll sweep this under the rug and carry along like it never happened.
        mrefuman
        • 8 stores closed

          Hi :)
          Before this they estimated share-price would reach $1.50-$1.60 but since the breach they are looking at more like $1.20-$1.30. So, shareholders HAVE been hit.

          Also 8 stores closing. So that hits everyone.
          Regards from
          Tom :)
          Tom6
          • Not share price, earnings per share

            So shareholders not directly affected by that. Share price may have been affected also but no data on that was given.

            I work in IT at a large company so I'm familiar with what is likely to be going on at Target:
            1. They are bound by banking industry regulations to be able to offer the "Red" card in the first place. This includes security procedures and requirements intended to protect consumer confidence in payment industry security (else people go back to cash and the bank networks that charge fees per transaction get less money.)
            2. No system can be totally secure. This doesn't mean Target didn't screw up, just that they didn't have to in order for the breach to happen.
            3. The banks/payment clearinghouses take breaches like this into consideration when they do their regular updates of security procedures and requirements.

            Now, as a consumer:
            1. The breach did in fact destroy my confidence in Target's security procedures.
            2. The first thing I went to do was to increase my Red card pin to more than 4 digits. I found they wouldn't allow more than 4 so I tried to call to cancel my account and couldn't get through on any number. Finally I e-mailed them to cancel my Red card and ultimately they did.
            3. I don't appreciate the lack of transparency on the general nature of the breach. I won't get getting another Red card unless they give me reason to believe they have vastly improved their security (and allow me to have a pin of at least 7 digits.)
            DevRandom
          • Share price around $60

            The hit you reference is EPS, not share price. If the share price is that cheap, I want as many as possible so I can immediately sell them and retire.
            robradina@...
    • Tough thing to defend against

      thieves are very clever. They'll study you, determine what kind of cash register hardware you use, and come in and swap out your payment hardware with a model just like it, but programmed to phone home to a hacker.

      The makers of payment tech like Ingenico, etc. work very hard to keep the devices from being spoofed or altered maliciously, but every time you think you've figured out how to lock it down, criminals think up an angle to abstract the hardware from the card insertion/swipe/or near field pass, and inject their own tech inside that abstraction.

      Not making excuses, but this kind of work is not easy.
      Mac_PC_FenceSitter
      • To be clear, I do not know what payment tech Target uses

        and BY NO MEANS do I mean to suggest it was Igenico. They're just the first people that sprung up in my head.
        Mac_PC_FenceSitter
    • What Security?

      If the people of the USA and our Government do not require ALL institutions to safe guard our personal information then it will be hacked and hacked again.

      This Security and enforcement will cost us some $ however the alternative is we will loss our freedom.

      Tell your representative you want to keep your freedom and information and that if an institution has it they must safeguard it of if they can not then delete it from their systems.
      tbooton@...
    • Its not always IT's fault...

      In my experience with big companies is always "no money" or this is the excuse you get from upper management because they want to maximize their profits, they look at IT as a department that doesn't generate revenue so they never want to spend for it. I am not sure if this is entirely the IT Departments fault or not but someone should get fired for this BS... This was a bad call on multiple levels not just IT.
      xymantec