In addition to the 40 million credit and debit card numbers previously reported, criminals stole personal information, including names and e-mail addresses, from 70 million Target customers, Target Corp. reported today. It's not clear how much overlap there is between the two groups, the retailer says. Online retailers that require customers to enter the CVV2 code on the back of cards should be safe, as that data was not compromised.

Target Corp. reported today that the data breach it disclosed last month was even wider than first believed.

The retail chain now says that criminals gained access to personal information, including names and e-mail addresses, about 70 million Target customers. That’s in addition to the 40 million credit and debit card numbers and related data that Target previously reported being compromised. While that could mean up to 110 million consumers are affected, there may be some overlap between the two groups, reducing the total number of impacted individuals, the retail chain said today.

Target said today that thieves gained information that includes “names, mailing addresses, phone numbers or e-mail addresses” for 70 million consumers. “Much of this data is partial in nature, but in cases where Target has an e-mail address, the company will attempt to contact affected guests,” the chain said in a statement this morning.

Previously, Target had disclosed that thieves had stolen data about 40 million credit and debit cards, including the card numbers,  expiration dates and a security code known as the Card Verification Value embedded in those cards’ magnetic stripes. That would help thieves produce phony physical cards for use inside bricks-and-mortar stores.

However, the thieves did not get one piece of data that they would need to make fraudulent purchases at many online retail sites. That is the three- or four-digit CVV2 security codes printed on the back of payments card. Target says the criminals did not capture those codes. That’s a crucial point for online retailers, as most e-retailers ask for that CVV2 code at checkout. If the thieves did not get that information, then they would not be able to use the card information they have obtained to commit fraud at retail web sites that require entry of that code, payment security experts say.


“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” says Gregg Steinhafel, Target’s chairman, president and CEO. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”

Target is No. 18 in the Internet Retailer 2013 Top 500 Guide. In its statement today, Target said it anticipated a 2.5% year-over-year same-store sales decline in the fourth quarter for its U.S. segment, and that those earnings will include costs of the data breach.

The data breach involved transactions at U.S. Target stores that took place between Nov. 27 and Dec. 15. Check back with today for any updates, including comments from payment security experts about what this could mean for e-commerce.