The data breach at Target Corp. over the holiday shopping season was far bigger than initially thought, the retailer said on Friday, as state attorneys general announced a nationwide investigation into the cyberattack.
The personal information of at least 70 million customers was stolen by cybercriminals, including names, mailing addresses, phone numbers and email addresses, Target said. Previously, it said data was stolen from some 40 million credit and debit cards between Nov. 27 and Dec. 15.
Spokeswoman Molly Snyder said it was likely the two groups overlap, but said the extent of the overlap was not clear yet.
"I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this," Target Chief Executive Gregg Steinhafel said in a statement on Friday.
The No. 3 U.S. retailer lowered its fourth-quarter profit forecast, in part because of weaker-than-expected sales since reports of the cyberattack emerged in mid-December. Target's shares fell 1 percent to $62.72, hovering near a year low.
Security experts said they feared Target has not fully grasped the scope of the data breach, which is considered the second biggest payment-card attack in retail history.
"I think they still have no idea how big this is," said David Kennedy, a former U.S. Marine Corps cyberintelligence analyst who runs his own consulting firm, TrustedSec.
Attorneys general from New York and Massachusetts announced on Friday that they were joining a nationwide probe into the security breach. New York Attorney General Eric Schneiderman called Target's announcement on Friday "troubling."
"Consumers in New York and around the country expect and deserve companies to protect their personal information when they shop on websites and in their stores," Schneiderman told Reuters.
Jaclyn Falkowski, a spokeswoman for Connecticut's attorney general, said: "We are actively engaged in investigating this matter with colleagues across the country and will be looking at these new and serious aspects disclosed by Target today as part of that investigation."
Target said last month that hackers stole data from up to 40 million credit and debit cards during the peak holiday shopping season. Information security experts said the data could be used to fabricate false magnetic-strip credit cards.
Cybercriminals typically sell stolen personal information on underground exchanges for use in email "phishing" campaigns aimed at persuading victims to hand over even more sensitive information, such as bank account numbers.
If a Target customer's information was stolen, "I would be very careful in looking out for phishing scams," said Mikko Hypponen, chief research officer for the computer security software company F-Secure.
Reports of fraudulent card charges have been growing since the breach was disclosed, said an executive at one major card issuer who asked not to be identified.
The full magnitude of the damage won't likely be known until later in January, when customers receive and examine their monthly statements and call their banks, the executive said. He added that in past cases, it has taken 30 to 45 days for the vast majority of bad charges to surface.
Target and credit card issuers have said customers will have zero liability for the cost of any fraudulent charges.
The largest-known breach at a U.S. retailer, uncovered in 2007, was at TJX, where more than 90 million credit cards were stolen over about 18 months.