New Target revelation raises stakes for consumers

Read more about the Target security breach, including what you can do to protect yourself from cyber crime, at our premium website,

New revelations surrounding the Target breach painted a clearer picture for consumers Friday, adding the specter of identity theft to the threat of unauthorized use of their credit or debit cards.

The retailer disclosed that thieves acquired personal information on roughly 70 million people during the breach that occurred late last year. That's on top of the as many as 40 million shoppers whose debit and credit card information was stolen during in-store transactions from Nov. 27 to Dec. 15.

Target gave no details about how the additional theft occurred. A statement from the company said only that “it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken … “

Target characterized the lost personal data as “partial,” but said it may include names, mailing addresses, phone numbers and email addresses.

Although the two thefts apparently were simultaneous, “these are two distinct groups,” Target spokeswoman Molly Snyder said in an email to The Atlanta Journal-Constitution. “While there may some overlap between the two groups (the 40 million and the 70 million) we don’t know to what extent at this time.”

That means that for an unknown number of individuals, thieves may be in possession of both some personal information and banking data. And data security experts said the threat of identity theft increases with every bit thieves are able to piece together.

“The more data elements that I have, the more likely it is that I can get more and I can round that out,” says Chris Bucolo, a senior manager of security consulting at ControlScan, an Atlanta-based outfit that helps merchants comply with card processing security standards.

“If someone wants to take that to the next level, it’s just a matter of a numbers game.”

Typically breaches take about half a year to detect, says Bucolo. Within that time, the criminals who have penetrated a company’s defenses can access all sorts of information, ranging from loyalty databases to credit card servers.

And that multiplies the risk for the company’s customers.

If all an attacker has is a credit card number and an expiration date, he can only bilk a bank account or take advantage of a credit card issuer.

But if the thief can combine a customer’s personal information with that data from the magnetic stripe on your credit or debit card, he can start to walk down a road that could eventually lead to taking out a line of credit in the victim’s name.

“You could probably social engineer other service providers like Amazon to take over those accounts,” says Jeremiah Grossman, the chief technology officer of Web-application security firm WhiteHat Security, with just the records Target recently admitted were lost.

He’s referring to a specific type of attack that has criminals posing as an individual and tricking companies into sending them the victim’s private information.

To be sure, criminals must figure out a series of steps to unlock the most sensitive information, such as a person’s social security number. But some criminals make it their sole job to zero in on acquiring personal information.

The question is whether the thieves behind the Target breach — of those they might sell the data to — will decide that it is worth the potential payoff is great enough to justify the time and effort involved.

Already, reports are surfacing from the underweb — where certain forums act as criminal bazaars — that items for sale include the location data (the state, city and ZIP code) of the Target store where a given cardholder's information was stolen.

Generally, criminals are selling their bounty from the Target breach for $20 to $100-plus per card, according to information security blogger Brian Krebs.

Teams of computer criminals in eastern Europe are also offering to break the encryption around the PIN numbers Target lost, according to reports.

Federal legislators have also taken notice of the Target breach.

On Wednesday, Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., reintroduced the Personal Data Privacy and Security Act.

The bill, originally introduced in 2005, would establish a national standard for data breach notification that would require retailers to implement data privacy protections, according to a release from Leahy's office.

As of yet, there is no federal statute. But Georgia does have a data privacy law.

In it’s Friday statement, Target also lowered its projected adjusted fourth quarter earnings-per-share to between $1.20 and $1.30, down from $1.50 to $1.60.

The retailer said it expects same-store sales to fall about 2.5 percent, rather than remaining flat, as it projected previously.

Finally, Target announced that in May it will close eight stores across the country, including one in Duluth.

Wall Street, meanwhile, took the company’s announcements largely in stride. As of early afternoon on Friday, Target’s stock was trading at $62.51, down 1.31 percent.