Target's Data Breach Just Got Much Worse

Target’s massive data breach in November and December may have been 75 percent larger than earlier estimates indicated, according to a statement from the retailer this morning. The company said personal information was stolen from as many as 70 million customers, compared with its previous estimate of 40 million.

Much of the swiped information was “partial in nature,” though that will be scant comfort for the 30 million people who are realizing today that they might, in fact, have something to worry about. Target said it’s attempting to contact those whose information may have been pilfered. Meanwhile, the company is still helping the U.S. Secret Service hunt for the perpetrator.

The breach, according to Target, spooked would-be customers in the critical sales days just before Christmas. Business was buzzing ahead of expectations until Dec. 19, when the retailer announced the theft, which allegedly occurred from Nov. 27 to Dec. 15. The company now expects to report a 2.5 percent decline in fourth-quarter sales at stores open more than a year, down from a prior estimate of mostly unchanged revenue.

Target also ticked down its profit forecast and said it may have to write down additional charges related to the data breach in the past quarter, costs that will no doubt swell as the company grapples with more than two dozen lawsuits, mostly from compromised customers.

Anyone who’s ever been blindsided by a computer virus can probably muster at least a little sympathy for the Minnesota-based retail empire, but Target is struggling with the basic tenet of crisis management: Get ahead of the news.

It discovered the fraud relatively late and has sent a stream of updates in the weeks since, including today’s major increase in the number of estimated victims. Making a conservatively large estimate at the outset and then reducing it may have sapped some of the momentum from the PR fallout. Instead, Target is dealing with an accelerating crisis.

In short, the company could have taken a page from New Jersey Governor Chris Christie’s playbook yesterday: Talk about the scandal immediately and for so long that at least a few people start changing the channel.

Rob Markey, head of customer strategy and marketing at consultancy Bain, said Target has done an admirable job communicating directly with potential victims, his wife among them. Today’s announcement, however, could undermine some of that goodwill.

“I’d be worried if I were them about a further loss of consumer trust,” he said. “People are asking themselves was this a result of incomplete information or were they not telling us something?”

Here’s the apology Target Chief Executive Officer Greg Steinhafel offered in this morning’s release: “I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this.”

Compromised customers, we’d bet, would choose a much more colorful adjective than “frustrating.”

Target, meanwhile, said it would offer its customers one year of free credit monitoring and identity theft protection. Shoppers will have three months to enroll in the program, which no doubt involves giving Target their personal data.

    Before it's here, it's on the Bloomberg Terminal.