Target's investigation into a massive credit card hack this holiday season has turned up even more security problems. Last month, Target admitted a massive data breach had affected roughly 40 million customers who swiped their credit cards in stores from November 27 to December 15. The company (in addition to the Department of Justice) has been looking into the cyber attack, and periodically updating the public with its findings. The last time we heard from Target it said that encrypted PIN numbers had been stolen.

Now, Target is doling out more bad news to customers and shareholders alike, expanding both the number of those negatively affected by the breach, and the type of information taken. In a earnings release today, the company stated that stolen content includes personal contact information (addresses, emails, and phone numbers) of up to 70 million customers. Obviously, their fourth quarter earnings projections have been scaled down significantly following the incident. 

Here's what we know from the most recent update

  • This newly revealed data theft is part of the same breach that allowed hackers to steal the credit card data from 40 million Target patrons after Black Firday. Those same 40 million may be included in the 70 million who had names, mailing addresses, phone numbers or email address compromised. For context, 70 million people amounts to nearly 20 percent of America's population. 
     
  • According to CNN, the latest figure is in addition to, but not exclusive of, the previous estimate, meaning that there could be overlap between the two. Target said that "much of this data is partial in nature," but that it will reach out to those affected via email if possible. They won't be asking for users to send any information back to Target, so any email from the company with such requests should be treated as a phishing attempt. 
     
  • In an effort to make amends with customers, Target is offering a year's worth of credit monitoring and identity theft protection to all customers. They say: 

Guests will have zero liability for the cost of any fraudulent charges arising from the breach. To provide further peace of mind, Target is offering one year of free credit monitoring and identity theft protection to all guests who shopped our U.S. stores. Guests will have three months to enroll in the program.

  • The company's fourth quarter forecasts have been scaled down considerably in light of the breach. According to Target, shareholders should expect "meaningfully weaker-than-expected sales since the announcement..." and "a comparable sales decline of (2)% to (6)% for the remainder of the quarter." 
     
  • Fallout from the breach is likely to have a negative effect on fourth quarter sales: 

At this time, the Company is not able to estimate the costs, or a range of costs, related to the data breach. Costs may include liabilities to payment card networks for reimbursements of credit card fraud and card reissuance costs, liabilities related to REDcard fraud and card re-issuance, liabilities from civil litigation, governmental investigations and enforcement proceedings, expenses for legal, investigative and consulting fees, and incremental expenses and capital investments for remediation activities. These costs may have a material adverse effect on Target’s results of operations in fourth quarter 2013 and/or future periods.

  • The company will close eight retail stores on May 3, 2014. This doesn't really appear to be related to the breach, but it is happening. 

 

Unfortunately for Target, the efforts to appease customers may be too little, too late. 

We're afraid to imagine what the next update from Target will announce, and what Target's stock will look like by the end of the day. It dropped nearly 2 percent after the opening bell on Friday morning.