Correction: An earlier version of this story incorrectly stated that the 3-digit security code found on the back of cards had been stolen in the Target breach. This version has been updated to reflect that only encrypted PINs were stolen.
Target said Friday that the massive cyberattack it suffered during the height of the holiday shopping season may have affected an additional 70 million customers and swept up far more information than it originally reported.
Here’s what you need to know:
Q. What information was taken?
A: In December, Target said the credit and debit card information of up to 40 million customers was stolen in an attack on its computer systems. Customers’ PINs — or personal identification numbers — were stolen in encrypted form, Target said, but the security codes found on the back of payment cards, known as CVV2 numbers, were not taken.
On Friday, Target said the names, phone numbers, mailing addresses or e-mail addresses of an additional 70 million customers may have been stolen during the data breach.
Q: So how many people were affected?
A: It is unclear, but it could be up to 110 million. Target says some customers may belong to both groups, which means their personal information and payment data could have been stolen, lowering the overall number of people affected.
Q: What Target customers were affected?
A: The original breach Target reported affected customers who shopped in stores between Nov. 27 and Dec. 15. It did not include customers who shopped online.
But the stolen personal information, including names and phone numbers, is not limited to customers who shopped during that period. It potentially includes any Target customer who has shared that type of personal information with the retailer.
Q: Why did it take so long for this to come out?
A: Target, the Secret Service and the Justice Department are still investigating the cause of the breach and who was behind it. The company says it releases information as it is discovered, so this may not be the last you hear about it.
Q. How will I know if I’ve been affected?
A: Customers who think they may have been affected by the breach can call Target’s hotline at 1-866-852-8680.
Target says it will also notify via e-mail customers whose personal information was taken, provided it has their e-mail address.
Q. What does this mean for me?
A: If your payment information was taken, continue to keep an eye out for any strange transactions on your credit and debit cards. Hackers who take big swaths of data like this sell them to criminals, so your information could stay on the marketplace for a while.
Debit card users may want to take the precaution of calling their banks to get their PINs changed. Target says it is confident that customers’ PINs are secure because they were encrypted.
People who fall into both groups — their personal and financial data was stolen — are especially at risk and should be on the lookout for suspicious transactions on their cards. The exact number of people who fall into this category is unclear.
If only your personal information was taken, there is no immediate risk, but customers could be targets of online schemes. It’s best to follow common security practices such as not opening e-mails or attachments from unknown senders and not clicking directly on hyperlinks in e-mails.
Security experts warn that Target customers affected by the breach should be most concerned about phishing scams, because criminals could use the news to send e-mails that appear to come from your bank or Target. That could include being directed to a Web site made to look like a site that would be familiar to a user. But the sites in these cases are actually frauds attempting to trick people into parting with personal information.
Q. Okay, there’s some fishy activity. What should I do now?
A: If there are fraudulent charges on your bill, report them to your bank or credit card company immediately. The sooner you’re able to flag bad transactions, the better — people aren’t liable for fraudulent transactions made in their names.
Target has said it will provide one year of free credit monitoring and identity theft protection to all customers who shopped at its stores, not just those who have been affected. Customers have three months to enroll in the program by going to Target’s Web site.
For a more comprehensive list of frequently asked questions, you can visit Target’s Web site dedicated to the breach.