Target: Data breach caught up to 70M customers

Target says that personal information — including phone numbers and email and mailing addresses — was stolen from as many as 70 million customers in its pre-Christmas data breach. That was substantially more customers than Target had previously said were affected.
AP Wire
Jan 11, 2014

The chain also indicated its sales have been hurt by the breach, cutting its forecast for fourth-quarter earnings and a key sales barometer.

Its stock slipped in early morning trading Friday.

Target Corp. announced in December that about 40 million credit and debit cards may have been affected by a data breach that happened between Nov. 27 and Dec. 15 — just as the holiday shopping season was getting into gear.

But the net has now been cast wider, with more shoppers potentially impacted.

The company told customers Friday that its ongoing investigation of the breach has shown that more personal information had been stolen than it was aware of before and more customers were affected. It previously disclosed to customers that names, credit and debit card numbers, card expiration dates, debit-card PINs and the embedded code on the magnetic strip on the back of cards had been stolen.

"I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this," Chairman, President and CEO Gregg Steinhafel said in a statement.

The company said customers won't be liable for the cost of any fraudulent charges that stemmed from the breach.

Target said it will try to contact customers it has email addresses for to provide tips on how to safeguard against consumer scams. The company said it won't ask customers for any personal information during its email communications.

It's also offering a year of free credit monitoring and identity theft protection to customers that shopped at its stores. Individuals will have three months to enroll in the program. Target said it will provide more details on that next week.

Target lowered its fourth-quarter adjusted earnings guidance to a range of $1.20 to $1.30 per share, down from $1.50 to $1.60 per share.

Analysts surveyed by FactSet expect earnings of $1.24 per share.

The Minneapolis company also said that it now foresees fourth-quarter sales at stores open at least a year will be down about 2.5 percent. It previously predicted those sales would be about flat.

This figure is a closely-watched indicator of a retailer's health. It excludes results from stores recently opened or closed.

Target cautioned that its fourth-quarter financials may include charges related to the data breach. The chain said the costs tied to the breach may have a material adverse effect on its quarterly results as well as future periods.

Shares of Target declined 32 cents to $63.03 shortly after the market opened.

The company has 1,921 stores, with 1,797 locations in the U.S. and 124 in Canada.


Former Grandhavenite

The fact that they may have gotten debit card numbers is one more reason to always to choose to process a transaction as credit, rather than debit. With debit, there's nothing stopping thieves from draining your account once they have your PIN, and a lot of banks will just tell you "Too bad, you're not getting a refund." With credit, at least most of the companies will make you whole and you have zero liability for identity theft losses. Retailers hate it because of the higher swipe fees for credit, but as a consumer there's no reason to ever use debit when you have a choice.

I've also noticed a trend that in every one of these high profile data breaches, the companies initially understate the number of people affected, dollar amount taken, etc. I'm not sure if it's an attempt at damage control, or if they truly don't realize the scope of the breach until much later. Seems like it would help everyone involved if they'd just come clean immediately with everything they know.


Great advice - and this was a great comfort when I first read about the breach, after one of my maybe twice-yearly visits to Target...


Actually, the latest reports are saying over 110 million customers.

The Tribune seems to be a couple days behind the sources.


Seems like just another program to cure income inequality, particularly since there seems to be little appetite for making these thieves pay an appropriate penalty for the damage they are causing. We're so used to fraud we treat it as just another thing to deal with on a daily basis, like the weather.

retired DOC

There are laws that require a private company to report a data breach, but the ACA does not have to report any data breach. I find that sad and scary.


Two days ago the House passed a bill requiring such notification, with 122 Democrats voting against it, and the White House claiming it's too burdensome.

What's to worry about - it's only your most intimate personal health and financial information . . . .


"The bill, which passed with a 291-122 vote, is the latest of at least 46 votes on Obamacare with Republicans arguing the site lacked proper security and Democrats saying the law wasn’t on par with the standards private insurance companies follow and only gives HHS staff more paperwork.

But because federal laws that protect sensitive health data already exist and the U.S. Department of Health and Human Services (HHS) already has its own rules for breaches, the bill is a nonstarter for better cybersecurity. Those laws, which stem from HIPAA, make privacy and security requirements regarding health and medical records much tighter than those governing retailers like Target, where there is no uniform standard. Target announced in December that hackers stole millions of credit and debit card numbers from in-store shoppers between Nov. 27 and Dec. 15.

The difference is that HHS gives doctors, hospitals and private health insurance companies have 60 days to tell patients about a breach, whereas Target, which has a breach victim toll passing 100 million, has no a set amount time in which it should notify customers, depending on the state.

If we’re going to put these restrictions on, it should apply to both public and private insurers, Rep. Henry Waxman (D-CA) argued before the House vote.

And while the site has had a host of IT problems since its launch in October, no breaches have been reported for Despite repeatedly asserting that cybersecurity experts question the sites security, Republican House members offered no examples of how data encryption, or other protective measures, were insufficient. In fact, the bill doesn’t mention encryption or any other electronic security measures that make information harder to steal at all.

Passing the Health Exchange Security and Transparency Act is one of several tactics the Republican Party is using in 2014 to derail Obamacare. Besides poking at’s security, the GOP has also sued to get rid of federal subsidies and fight Medicaid expansion".



So, I guess passing laws requiring private business to report data breaches is a tactic to derail private enterprise. There are no bounds to what defenders of Obama will do to obfuscate the truths about Obamacare, or that our overlords should not be subject to the same laws and regulations they impose on everyone else.

Tri-cities realist

Come on Vlad, using logic is so old fashioned, get with the progressive program! (Sarcasm for the dim bulbs)


...."for the dim bulbs" a burnt-out one......

Tri-cities realist





Btw, did you know that incandescents don't have ANY warranty at all?.....

Tri-cities realist

Yup. But their life is very predictable.


Huh? Sorry. I don't follow you. The article is about Target and a breach of security, for which there are few regulations; so you dropped the ACA into the mix; I showed that HHS already has in place regulations relating to breaches of security (and would add that Social Security and Medicare, programs which hold lots of personal and financial information, have not had any major cyber-security breaches) and that this new proposal is simply more fat to add to the sausage and shows that the Repubs are about as concerned about ACA/citizen cyber-security breaches as they are the endangered Nevada sage grouse.

Then this comment about lord's a'leaping that strains to tie the two topics into some recognizable relationship. Just more grousing?


Tsk Tsk So defensive; In fact, Retired Doc bemoaned there were no consumer notification requirements in Obamacare and I noted in response the Republican bill to include one that was voted against by 122 Democrats - simple, true, informative information.

You then cribbed the defenses published by boys in plaid onsies from their Mom's basement, and from Nostrilla Waxman (but nowhere disputed there is no requirement for the government to notify enrollees of breaches of their personal data - a result made likely by the poor design of the Obamacare website and its activation when it clearly was not ready).

So let's go to the jump - if you can direct me to legislation or regulations that require the federal government to notify enrollees in Obamacare of breaches of their data within a reasonable time frame (giving actual citations that can be verified), I will withdraw my criticisms; if you can't, then please admit that consumers should be notified when personal data is compromised, whether the information is in a private sector data bank or was provided under a federal exchange under Obamacare.

Talking points won't cut it.


You are surely very familiar with the Health Insurance Portability & Accountability Act of 1996 Privacy, Security, & Breach Notification Rules, and the the Patient Safety & Quality Improvement Act of 2005 Patient Safety Rule, and in addition, the many addendums to both. Let's do this: If you can show me that the problem of cyber-security breaches or patient confidentiality is not adequately covered, and more legislation is necessary, I will withdraw my criticism quicker than Ted Cruz running down the hallway of the girl's dorm in his paisley bathrobe.


"So let's go to the jump - if you can direct me to legislation or regulations that require the federal government to notify enrollees in Obamacare of breaches of their data within a reasonable time frame (giving actual citations that can be verified), I will withdraw my criticisms";

Factual cites to legislation or regulations - crickets. (And it was a set up because I knew there are no requirements for notifying enrollees of data breaches under Obamacare) - give me citations or curl up with your onesie,


"..(And it was a set up...) I see. Of course! - you were chumping me just as you accused me once (unjustifiably) in a fit of pique. But unbeknownst to you, whenever you appear reasonable, what with your degraded credibility these days, I immediately smell a set up. I am not inclined to spend time researching a topic that I don't find compelling just because you bait me to do so. Don't let that lowered bar slip and pin you down like a weasel in a trap.


Just wanted to see if you would be forthright and admit there is no notification requirement applicable to the gubmint - you didn't disappoint.

FYI,the Health Insurance Portability & Accountability Act of 1996 Privacy, Security, & Breach Notification Rules, and the the Patient Safety & Quality Improvement Act of 2005 Patient Safety Rule, apply to insurers and medical providers NOT to the federal exchanges where you give your information to the government. Nice try.


For the sake of forthrightness: A little history re: the Federal government and security breach notifications =

Traditionally, Republican-led Congresses have not had much interest in passing Federal legislation, but have instead relied on the states to pass the laws. At this point, nearly all states have enacted laws requiring notice of security breaches of personal data. The fact that this basically creates a mosaic of fragmented, incoherent laws regarding liability has been ignored by Republicans.

Fast forward to the current law. Despite FISMA, HIPAA, and GLBA, not to mention their previous lead feet to pass any Federal legislation regarding Federal security breaches of personal data, they are now lathering at the bit to pass Federal legislation regarding Federal security breaches of personal data within the ACA, with the notification requirement a red herring, the massive Target security breach and subsequent notification a gift horse in the lap of Republican opponents of the ACA.

The word on the street is that after the government shutdown self-immolation, the GOP 2014 strategy is based around the trumpeting of Obamacare flaws. Have at it, boys!


Actually Vlad,there is a transparency measure that is part of the Obamacare privacy bill that is in place. Right now the government posts data once a month. The new bill, passed Friday 291 to 122, will require the government to notify consumers within 2 days of a data breach. I won't give you the areas I found this data but I will let you look it up yourself, it is quite easy to find. Hint: Washington


Transparency and posting data is not the same as the government being required to notify individual citizens when there has been a breach of the government exchange website, such as is required of private business.

Transparency to this regime is like a cross to a vampire - they don't even tell us how many have enrolled; what percentage are in Medicaid and what percentage in paid for insurance; how many enrollees have actually paid; how much they paid for the website; etc. ad nauseum.


And you only read part of it. The new bill passed Friday requires the Government to notify consumers within 2 days. I would say that is a reasonable amount of time.


I don't know what drove the 2 day requirement (most likely political considerations) - it seems unreasonably short to me, but do you think the 122 Democrats who voted against it would have changed their vote if the time had been 5 days? 10 days? 30 days?


Don't forget that the those enrolling via the Federal exchange are from states that have not built in-house exchanges, but are sending their citizens to the Federal exchanges. As to how many enrolled, when you scope out the numbers from the Federal exchanges, State exchanges, those 26 or under that are covered through their parents coverage, it looks like a minimum of 9 million and a maximum of 14 million.


You must have gotten a holt of some of the good Colorado smoke - 9 to 14 million? When the White House claimed 2.1 million two weeks ago? Oh yes, you and the Mom's basement boys are now including 3 million "kids" up to 26 years old who stay on their parent's plan as "signing up"; and 4 million who got put onto Medicaid. The spit will hit the fan when reality shows the paucity of real sign ups, making Obamacare unsustainable, driving costs up for new enrollees in 2014 and beyond, and the bailout of Big insurance that Obama is planning.

Apart from this gross manipulation of the numbers for the low information crowd, I believe it is obvious that if the best you can do is guess 9 million to 14 million, transparency and disclosure are not high on the regime's priorities for Obamacare.


a.) You put it out there - questioning the number of those enrolled. b.) I took the time to help you out and did the math. c.) I reported on my findings. Although math was never my strong suit, please don't belittle me by referring to the figures as a "gross manipulation". d.) I find it telling that instead of being happy that the numbers of those enrolled and now insured is actually greater than expected, you are unhappy with the methods of obtaining those numbers of people who now are insured. Would you consider sharing some of your apparently good Colorado smoke with me - I need it after this little interplay.

As for the insurance companies, you and your Free Market cronies should be happy to know that, according to the WSJ (no fair disrobing this source), health insurers are fighting tooth and nail for the millions of new customers - you know, the insurers that took advantage of a loophole and "canceled" policies? WSJ estimates insurance companies will be spending $500 million in ad campaigns in aggressively marketing directly to consumers, something many never have had to do. Yeah!! Now we will be bombarded with not only stupid, negative political ads in 2014, ridiculous Big Pharma ads 24/7, now we can sit and enjoy Big Insurance ads. Let's quick invest in marketing and advertising firms.


1. I didn't say YOU were manipulating the numbers - you got them from sources who are manipulating them grossly (White House claimed 2.1 million at beginning of January - now 9-14 million - most left wing sources claim 9 - by including for the first time those who stayed on parents' policy up to age 26 and those newly declared "poor" by changing the definition and thrown into Medicaid, which actually has poorer health care results than those who have no insurance). The lies out of this administration keep coming - if you like your statistics you can keep them (until we change them).

2. The insurers didn't take advantage of a loophole - they were perfectly happy to continue to sell and service bare-bones and catastrophic policies. They would have been breaking the law (Obamacare) if they didn't cancel the policies, which didn't include birth control and pregnancy coverage for those in their 70's and 80's and men.

3. Of course insurance companies spent millions in ads attracting customers before Obamacare - that's why Obamacare requires them to limit administrative costs, including advertising, to 15%. Obama is doing more advertising on behalf of insurers than insurers themselves.


Post a Comment

Log in to your account to post comments here and on other stories, galleries and polls. Share your thoughts and reply to comments posted by others. Don't have an account on Create a new account today to get started.