Revised figures from Target Corp have nearly doubled the number of customers to be hit by data theft over the Christmas holidays, up from 40 million to some 70 million credit and debit cards.
In December the company reported that that hackers had stolen card data including numbers, names, postal addresses, phone numbers and email addresses, though the data is said to be "partial in nature." Thieves are reported to have installed data-stealing code on to card-swipe machines at tills in all 1,797 Target stores between November 27 and December 15 last year.
Target has offered one year of free credit monitoring and identity theft protection to all its US customers, with three months to enroll, and has said customers would have "zero liability" for any fraud losses; it is also providing tips on avoiding scams for those whose emails were taken.
Nonetheless, some customers still reportedly intend to sue Target, for failing to notify them of the breach before it was first reported and for not maintaining “reasonable security procedures" to prevent the attack.
Sales had been going well, but were then hit by the breach with forecasts for fourth-quarter earnings down. Target shares initially fell 32 cents to US$ 63.03 (approximately £38.25) shortly after the market opened, with the company announcing reduced Q4 earnings from flat to a 2.5 percent decline.
Jason Hart, VP Cloud Solutions at SafeNet commented: “Whilst the payment information taken in the Target breach was encrypted, immediately reducing the impact of the breach, it is clear that data cannot be encrypted in isolation.
"Right now, companies encrypt to be compliant with numerous data breach regulations, such as PCI-DSS. However, as with most compliance regulations, PCI-DSS only mandates a lowest common denominator-level of security and more protection is required. Organisations now need to move beyond basic regulations and ensure that they are securing data throughout its whole lifecycle. This means securing data at the application layer (such as point-of-sale terminals), while it is in transit or motion, and when it is stored."
Hart added: “One of the most common mistakes that organisations make is storing the encryption key in an insecure manner, thus exposing sensitive information to significant risk. Therefore, only those companies that encrypt all valuable data and apply tamper-proof and robust controls to the management of the keys, can be safe in the knowledge that their data is protected whether or not a security breach occurs.”
Target is the third-largest US retailer and this is the second-largest such breach reported by a US retailer.