Target has found that 70 million more people had personal information stolen in the security breach discovered last month, and experts say the type of data taken indicates the hackers went deeper into the retailer's network than previously thought.
Target said Friday that names, mailing addresses, phone numbers or email addresses were also taken during the holiday shopping season. The retailer had said in its original disclosure Dec. 19 that debit or credit card numbers of 40 million accounts were stolen.
In the latest update, Target said the stolen information belonged to "up to 70 million individuals," which amounts to more than a fifth of the number of people living in the U.S. How many of these people actually become victims of fraud as a result of the hack remains to be seen.
Meanwhile, security experts say the differences in the kind of data stolen in the first and the second announcement indicate that the hackers broke into two separate systems.
Based on what Target has said, the card data was taken from its computerized cash registers, called point-of-sale systems in tech jargon, which would not have the other information the retailer says was stolen.
"It looks like these are two completely separate systems," Chris Camejo, director of assessment services at consultancy NTT Com Security, said. "The names, phone numbers, email addresses, that's coming out of a completely separate database somewhere else."
Sol Cates, chief security officer of data security vendor Vormetric, said the hackers could have started with the POS system and then searched for access to a database feeding customer information.
"I would not be surprise to find out that they were either querying, or interacting with, a centralized DB that could have been compromised as well," Cates said. "The fact that they were able to implement their attacks down to the POS system means that they were able to traverse many other paths and services that would have leveraged or serviced those POS systems."
Target says all of the information was stolen during the same security breach.
These types of discoveries are not unusual during computer forensics following a breach, experts say. Hackers are often found to have done more damage than originally thought, and the amount of data believed taken typically rises during the investigation.
For example, the 2007 data breach at TJX, which owns T.J. Maxx, Mashalls and HomeGoods, started with information taken from almost 46 million credit-card accounts, which later grew to 94 million. Fraud-related losses from Visa cards alone ranged from $68 million to $83 million.
"I would expect the number of impacted cardholders could still yet increase as the forensic analysis continues," Paul Henry, a senior instructor in forensics with the SANS Institute, said.
Sign up for CIO Asia eNewsletters.