Target faced a PR nightmare over the holidays when, on Dec. 19, it announced a data breach that affected 40 million customers' credit and debit card accounts for in-person transactions made between Nov. 27 and Dec. 15.
On Friday, the nightmare got worse: The number of customers rose to between 70 and 110 million customers. And because the customers' personal information (including names, mailing addresses, phone numbers and email addresses) was stolen from Target's database, it affected people who hadn't shopped at Target during the time period initially reported by the retailer (Nov. 27-Dec. 15).
Target's data breach went from 40 million customers affected to a possible 110 million customers.
Target expects some overlap between the two data sets, but does not have the exact numbers yet.
"The expanding scope of the disclosures also illustrates another disturbing element in many cyberattacks: Not only do companies have trouble preventing them, they often have trouble fully understanding just what was stolen," wrote Steve Johnson of the San Jose Mercury News (Jan. 10).
The breach was also found to include customer PIN data.
"Target's disclosures have been especially troubling because they keep getting worse. Besides underestimating how many customers were affected, the company initially said it had no evidence the crooks stole debit card PIN numbers, potentially enabling them to steal the customers' money from ATM machines. But eight days later, it said 'strongly encrypted PIN data was removed.'"
Today, CNBC published an interview with Target CEO Gregg Steinhafel, who said he is "still shaken" by the enormous data breach and has had many "sleepless nights" because of it. I should think so.
As a result of the breach, Target could face hundreds of millions of dollars worth of legal costs.
But beyond the CEO's guilty conscience, Target could face hundreds of millions of dollars worth of legal costs and years of litigation.
"The loss of such personal information significantly strengthens the legal cases of banks, credit unions and individuals looking to sue Target for fraud, negligence and invasion of privacy, some legal analysts say," wrote Thomas Lee of the Minneapolis Star Tribune (Jan. 12).
"Unlike credit and debit cards, which banks can quickly cancel or replace, most consumers are not about to change their names or where they live."
Lastly, not doing itself any favors, Target sent an email to customers after the data breach that Forbes' security, hacking and malware reporter said "looks like a scammer's (email)." Oh geez.