NEW YORK (AP) — Target's massive pre-Christmas security breach may have affected more than 70 million people.
The incident could turn out to be one of the largest data breaches on record for a retailer, surpassing an incident uncovered in 2007 that saw more than 90 million records pilfered from TJX Cos. Inc.
Target Corp. disclosed last month that about 40 million credit and debit cards may have been affected by the breach that occurred between Nov. 27 and Dec. 15. But according to new information released Friday, those criminals also stole personal information — including names, phone numbers as well as email and mailing addresses — from as many as 70 million customers who could have shopped at stores outside of that timeframe.
Some overlap exists between the two data sets.
Here's what you need to know if you think your data was compromised:
Q: How did this happen?
A: Target has said that the breach was caused by malware that affected its U.S. stores.
Ken Stasiak, founder and CEO of SecureState, a Cleveland-based information security firm that investigates data breaches like this one, says it's likely that the perpetrators infiltrated Target's main information hub with malware and from there were able to access the store point-of-sale systems. Once the malware was in the POS systems, it could collect credit and debit card numbers as the cards were swiped.
Stasiak notes that retailers routinely collect personal information such as addresses, emails and phone numbers through things such as rewards cards when sales are made, so that information is also contained on POS systems just like credit card numbers.
Q: If my card number was stolen, what exactly am I on the hook for?
A: In most cases consumers aren't responsible for fraudulent credit card charges.
Credit card companies are often able to flag the charges before they go through and shut down your card. If that doesn't happen, the card issuer will generally strip charges you claim are fraudulent off your card immediately. Usually the worst thing consumers have to deal with is the hassle of getting a new credit card.
But since debit cards don't come with all of the same protections, holders of those kinds of cards may have a harder time getting their money back.
And the banks and credit card companies ultimately won't be stuck with the bills, either. Since the fraud has been tied to Target, the retailer will be responsible for compensating them.