Target and Neiman Marcus hacks: The latest

CNN/ Newswire | 1/13/2014, 6:39 a.m.
Many questions remained unanswered Monday after Target said its holiday shopping hack was worse than first believed, and another major ...
The data breach at Target was significantly broader than originally reported: The company said that 70 million customers had information such as their name, address, phone number and e-mail address hacked in the breach.

By Gregory Wallace

Many questions remained unanswered Monday after Target said its holiday shopping hack was worse than first believed, and another major retailer said it too had been breached.

Neiman Marcus said over the weekend that cards of some customers had been used fraudulently, but provided little additional information.

It follows a breach at Target that could become the largest in U.S. retail history. The company acknowledged Friday that up to 110 million customers were affected.

"Clearly we are accountable and we are responsible—but we are going to come out at the end of this a better company and we are going to make significant changes," Target CEO Gregg Steinhafel said in an interview with CNBC.

In addition to the 40 million customers of the chain's U.S. stores whose credit and debit card data was stolen during the busy holiday shopping season, hackers lifted personal information -- including names, addresses, email addresses and phone numbers -- for 70 million customers.

There may be some overlap between the two groups, but Target couldn't say how many were counted twice.

Among those 70 million people may be customers who haven't shopped at Target recently, but whose information was stored in company databases. It was unclear if online shoppers were impacted by the personal information breach, and spokeswoman Molly Snyder said only the information was collected and stored "during the normal course of business."

Neiman Marcus said Saturday it, too, was "the victim of a criminal cyber-security intrusion" involving customers' credit cards.

The luxury retailer said in an online post that it was notifying "customers whose cards we know were used fraudulently after purchasing at our stores." Neiman Marcus spokeswoman Ginger Reeder said she could not say how many customers were affected or notified.

The breaches raised questions about whether other retailers had also been targeted. The news agency Reuters, citing unnamed sources and without naming stores, reported that at least three other retailers in the U.S. had suffered breaches with tactics similar to those used at Target.

That wouldn't surprise Daniel Ingevaldson, chief technology officer at Easy Solutions. He said, based on his experience, breaches happen often but "they're not being noticed."

A spokesman for the Secret Service, which is investigating the Target breach, had no comment on whether the agency was investigating breaches at other retailers. Officials at the Justice Department did not immediately return requests for comment.

Credit card numbers enter the black market: The impact of the breaches on customers, their banks and the retailers is not yet known.

But millions of stolen credit card numbers have recently turned up on the black market, according to Ingevaldson.

Easy Solutions works with financial services firms and retailers on fraud, and monitors black markets where credit card data is fraudulently sold. The company is not working for Target or Neiman Marcus investigating their breaches, Ingevaldson said.

Many online forums that trade in this data are based in Eastern Europe, though it "really it doesn't matter where these forums are," he said, because the black market for stolen information is global.