Target Chairman and CEO Gregg Steinhafel
Target Chairman and CEO Gregg Steinhafel

Target revealed today that the massive security breach that hit 40 million customers’ credit and debit cards also encompasses the personal information of 70 million people.

As a part of its investigation into the breach, the retailer said that the attackers who stole millions of credit cards also got email addresses, phone numbers, names and mailing addresses for other customers. The company said that much of the information that was taken was incomplete, so while it will try to email affected customers, not all of the records that were taken had email addresses associated with them.

“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” Target CEO Gregg Steinhafel said in a press release.

Target shoppers should be wary: scammers have been known to use databases like that one to scam people out of even more money using the spectre of the original data breach.

As should be expected, Target’s sales took a beating following the breach. As a part of its press release today, the company also downgraded its earnings per share guidance to between $1.20 and $1.30 per share, down from $1.50 to $1.60 per share, because of decreased sales following the breach. That’s good news for Amazon and other retailers who were able to pick up the company’s slack during the holiday shopping season.

The company will be offering a free year of credit monitoring to any of its customers, but it’s unclear whether that will restore confidence in Target’s security.

Comments

  • tsupasat

    Given the increasing sophistication of threats and porousness of perimeter defenses, a determined attacker is going to get in. IT security needs to shift from just protecting the perimeter to monitoring their environment for anomalous activity–not just signatures, but deviations from the norm for all activity. This blog post offers some thoughts on how to accomplish this goal: http://www.extrahop.com/post/blog/what-it-can-learn-from-targets-data-breach/

  • Jack_Bauer_101010

    As industry cannot be trusted to secure personal/confidential information, it is time for comprehensive legislation to regulate and reform *everything security* within the IT industry. PCI, HIPAA, and similar security “frameworks” have all repeatedly failed to protect information. We need a significant overhaul and consolidation of all security guidelines/frameworks/best-practices. They need to move away from simply documenting high-level requirements to mandating very specific technical measures to be compliant. In addition, there should be significant fines for failing compliance or for security breaches. IMO, Target should be fined upwards of $1B for the breach which could have been avoided with proper network access controls (from what I’ve understood about the breach so far).

    The IT security industry is flooded with different security frameworks from government (NIST, E.O. 13636, etc) and private industry (ISACA, ISO, SANS, etc.) that have proven ineffective time and time again. It’s time to move away from the carrot approach to the big stick approach since the industry obviously has failed to regulate itself.

    We are at a point where you can’t trust *anything* electronic… nothing. And that needs to change.

Job Listings on GeekWork