A revelation by Target showed its holiday data breach spanned far wider than originally expected, raising new questions about exactly how such an expansive hack took place.
The retailer said Friday that its investigation had uncovered an additional 70 million customers may have had their names, mailing addresses, phone numbers, and email addresses stolen. Previously, Target said the breach occurred on the terminals where customers swiped credit and debit cards, compromising certain financial information of 40 million shoppers between Nov. 27 and Dec. 15, 2013.
Friday’s update, however, raises concern that the wider breach took place elsewhere in Target’s customer infrastructure. Target first said the only information affected was stored in the magnetic strips on the back of customers’ cards; a week later the retailer admitted customers’ encrypted PIN data had also been obtained. But personal information about shoppers—such as names, addresses and telephone numbers—are not stored anywhere on a credit or debit card, according to bank and credit card officials interviewed by CNBC.
(Read more: Neiman Marcus: Hackers may have stolen card data)
Rodney Joffe, a cybersecurity expert at data firm Neustar, highlights the possibility that breaches extended beyond the point of sale in Target stores. “Given the information gathered, it would appear to be account information taken from internal accounting or marketing systems,” Joffe told CNBC. “My guess is that a marketing database was accessed, not necessarily financial.”
A Target spokesperson did not respond to a request for comment on whether the breach extended to Target.com or other databases that may store customer information. The spokesperson, Molly Snyder, maintained the breach took place during the previously disclosed two-week period.
A Target spokesperson did not respond to a request for comment on whether the breach extended to Target.com or marketing databases that may store customer information. The spokesperson, Molly Snyder, maintained the breach took place during the previously disclosed two-week period.
Even that fact has been called into question as the details around the event remain unclear. Ryan Avery of North Dakota said his bank cancelled his debit card, citing the Target breach—even though he didn’t make a purchase during the time period in question. (Still, a representative for Avery’s bank, First Western Bank and Trust, said it only limited transactions on cards directly affected by the breach.)
(Read more: ‘Worst breach in history’ strains retail industry)
In response to the incident, legislators could revive data security legislation that petered out several years ago before becoming law. On Wednesday, Sen. Tom Carper (D.-Del.) told Politico he would reintroduce a bill that creates a reporting standard for breaches. Banks have gone one step further, arguing retailers should be subject to the same regulatory policies over data that they are under Graham Leach Biley—since a breach at a retailer could hold the same financial consequences as one on a bank.
In the meantime, Target and some of the large banks continue to reassure customers that they face zero liability for any fraudulent charges. Target says it will have new details next week regarding the free credit monitoring and identity theft protection services it is offering to affected customers.
—By CNBC’s Kayla Tausche and Amara Omeokwe