Target has found that 70 million more people had personal information stolen in the security breach discovered last month, and experts say the type of data taken indicates the hackers went deeper into the retailer's network than previously thought.
Target said Friday that names, mailing addresses, phone numbers or email addresses were also taken during the holiday shopping season. The retailer had said in its original disclosure Dec. 19 that debit or credit card numbers of 40 million accounts were stolen.
In the latest update, Target said the stolen information belonged to "up to 70 million individuals," which amounts to more than a fifth of the number of people living in the U.S. How many of these people actually become victims of fraud as a result of the hack remains to be seen.
Meanwhile, security experts say the differences in the kind of data stolen in the first and the second announcement indicate that the hackers broke into two separate systems.
Based on what Target has said, the card data was taken from its computerized cash registers, called point-of-sale systems in tech jargon, which would not have the other information the retailer says was stolen.
"It looks like these are two completely separate systems," Chris Camejo, director of assessment services at consultancy NTT Com Security, said. "The names, phone numbers, email addresses, that's coming out of a completely separate database somewhere else."
Sol Cates, chief security officer of data security vendor Vormetric, said the hackers could have started with the POS system and then searched for access to a database feeding customer information.
"I would not be surprise to find out that they were either querying, or interacting with, a centralized DB that could have been compromised as well," Cates said. "The fact that they were able to implement their attacks down to the POS system means that they were able to traverse many other paths and services that would have leveraged or serviced those POS systems."
Target says all of the information was stolen during the same security breach.
These types of discoveries are not unusual during computer forensics following a breach, experts say. Hackers are often found to have done more damage than originally thought, and the amount of data believed taken typically rises during the investigation.
For example, the 2007 data breach at TJX, which owns T.J. Maxx, Mashalls and HomeGoods, started with information taken from almost 46 million credit-card accounts, which later grew to 94 million. Fraud-related losses from Visa cards alone ranged from $68 million to $83 million.
"I would expect the number of impacted cardholders could still yet increase as the forensic analysis continues," Paul Henry, a senior instructor in forensics with the SANS Institute, said.
In terms of the impact on Target customers, experts were more concerned with the type of data described in the retailer's latest update than in the original disclosure about card numbers.
That's because the issuer usually absorbs the fraudulent charges on debit and credit cards. The other information stolen could help criminals build profiles on individuals, who can then be impersonated while applying for loans or filing a bogus tax return for a refund.
"If you find out that the (Internal Revenue Service) has given a refund to someone else in your name, you're looking at months of working with the IRS and waiting for them to work through the backlog of these cases," Neil Chase, spokesman for LifeLock, an identity theft protection company, said.
Target expects to suffer losses from the breach. In an updated forecast for the fourth quarter 2013, the company said financial results may include charges related to the hack, but was not yet able to estimate the cost. The charges could include reimbursement for card fraud and legal expenses resulting from lawsuits.
The company also reported "meaningfully weaker-than-expected sales" following the announcement of the breach, which occurred at the height of the holiday shopping season.
Find your next job with computerworld UK jobs