Target Ups to 70 Million Number of Accounts Possibly Hacked

Target cut back its Q4 outlook Friday, shaving 30 cents per share from its earnings forecast, while announcing that the number of consumers possibly affected by its credit card security breach has mushroomed to 70 million. That’s compared to the 40 million figure given when the breach was announced Dec. 19.

The 75 percent jump in Target’s estimate of the number of consumers affected by the data breach (CED Dec 23 p1) will spur interest among lawmakers in the subject of such financial information theft, said privacy experts and a lobbyist in interviews. They disagreed Friday on whether it would lead to legislation, as some lawmakers weighed in.

The security breach, which affected credit and debit card users shopping in stores Nov. 27 to Dec. 15 -- including the company’s REDcard holders and those using cards issued by third-party banks -- was originally said to be limited to cardholders’ name, card verification value, account number and expiration date (CED Dec 20 p1). Target expanded the breadth of compromised data Friday to include “names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.” There’s “no indication that Social Security numbers are part of this incident,” said a spokeswoman for the retailer. The scope of account type hasn’t changed, she said. “The payment card data still just pertains to guests that shopped in our U.S. stores during the specified time period.”

Target’s revised outlook anticipates a comparable sales decline of roughly 2.5 percent compared with previous guidance pointing to flat comp sales for the holiday quarter. The updated sales guidance reflects stronger-than-expected Q4 sales prior to the Dec. 19 announcement of the data breach; “meaningfully weaker-than-expected sales since the announcement,” and a comparable sales decline of 2-6 percent for the remainder of the quarter. The retailer said sales have shown improvement in the past several days.

Also in its credit card breach update Friday, Target said it is closing U.S. eight stores on May 3 “after careful consideration of each location’s financial performance.” The stores are located in West Dundee, Ill.; Las Vegas and North Las Vegas, Nev.; Duluth, Ga; Memphis; Orange Park, Fla.; and Ohio’s Middletown and Trotwood. “Eligible team members” at those stores will be offered an opportunity to transfer to a similar position at a nearby Target location, the company said.

Janney Capital Markets analyst David Strasser called Target’s sales trend for the holiday season “dismal,” with U.S. EPS coming in at $1.20-$1.30 compared with Janney’s estimate of $1.50. While Target’s Canada stores were not part of the credit card security breach, Target’s revised guidance for that segment was lower, too, on a gross margin hit reflecting “clearance of excess inventory.”

"We all knew it was going to be bad at TGT,” Strasser said referring to the company’s stock symbol, “but it was the magnitude of decline that was unclear.” Impact from the credit card data breach piled on an “already aggressive holiday season,” he said. Despite all this, Janney doesn’t expect the stock to take much of a hit as Target “has shaken off lots of bad news recently,” Strasser said. The latest announcement may largely put “the credit breach behind them,” he said. The risk ahead is the time it takes for consumers to “forgive” Target, he said. If the situation mirrors past breaches, consumers’ shopping patterns at Target should normalize as the year goes on, Strasser said. Janney remains neutral on Target, citing incremental costs the company will have to incur on legal and consulting fees, information technology system updates, and penalties and lawsuits. “This is bad news and the stock’s ability to weather tough results looks like a bottoming process,” Strasser said.

In its latest update on the credit card data breach, Target CEO Gregg Steinhafel said, “I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this.” He reiterated that affected Target customers “will have zero liability for the cost of any fraudulent charges arising from the breach.” To give customers “further peace of mind,” Target is offering one year of free credit monitoring and identity theft protection “to all guests who shopped our U.S. stores,” he said. Guests have three months to enroll in the program, with additional details to be shared in the next week, he said. The company will post further information on the breach at target.com/databreach, he said.

On the additional customer information that was part of the breach, Target said, “Much of this data is partial in nature, but in cases where Target has an email address, the Company will attempt to contact affected guests. This communication will be informational, including tips to guard against consumer scams.” Protecting against additional scams trying to take advantage of the high-profile Target data breach, the retailer said it will not ask customers to provide any personal information as part of its email communication with them.

As a Target REDcard holder, we had not received any such communication from the company by Friday afternoon. We had received a REDcard email alert that a recent legitimate payment had been posted to our account and a promotional email on a clearance sale with “tons” of sale items. One such item was an LG 55LN5200 55-inch LED-lit TV discounted by $200 to $699. It wasn’t much of a deal, we found, as Walmart was selling the same model for $100 less.

In a financial news release issued Friday, Target said 2013 EPS “may include charges related to the data breach” but the company isn’t able to estimate the costs at this time for Q4 or beyond. Costs may include liabilities to payment card networks for reimbursements of credit card fraud and card re-issuance costs, liabilities related to REDcard fraud and card re-issuance, liabilities from civil litigation, governmental investigations and enforcement proceedings. The retailer said costs may also include expenses for legal, investigative and consulting fees, and incremental expenses and capital investments for remediation activities.

"In light of the recent data breach, our top priority is taking care of our guests and helping them feel confident in shopping at Target,” said Chief Financial Officer John Mulligan. “While we are disappointed in our 2013 performance,” he said, the company will continue to manage the business “with great discipline” while continuing to reinvest in “multi-channel initiatives” to generate long-term value for shareholders.

Target’s stock largely weathered the news Friday with shares slipping 1.2 percent to close at $62.60. Share volume Friday passed 12 million compared with a daily average volume of 5.3 million for the past three months.

"Actual implementation” of data breach legislation “tends not to come to fruition” because of “disagreement on how to address the data breach issues,” said Jessica Herrera-Flanigan, an attorney at Monument Policy Group, with high-technology clients. “We can expect a lot of activity in the coming weeks and months, but whether it actually results in a bill going to the president to sign is another question.” Congress needs to consider “what needs to be done on the cybersecurity front more broadly,” said Herrera-Flanigan, who expects more emphasis on cybersecurity efforts in the commercial sector. Congress should also address “other cybercrime laws and practices” to reduce criminal hacking, she said.

Interest in the Target breach “could be the impetus for legislation,” said a spokesman for Privacy Rights Clearinghouse, a consumer privacy organization that says funders include the Consumer Federation of America (http://bit.ly/1isqCC7). “More troubling” is Target’s role as an “industry leader in data mining,” said the spokesman. This incident isn’t only about the personal information Target had already acknowledged was stolen, but “purchasing history, as well,” although the retailer has not said whether that information was breached, he said.

"An FTC investigation is necessary -- and should be publicly confirmed -- so that consumers know their rights and interests are protected,” said Sen. Richard Blumenthal, D-Conn., in a statement on the hacking from Target. “I will pursue legislation to deter, punish, and prevent failures to properly protect confidential consumer information.”

"When a number equal to nearly one-fourth of America’s population is affected by a data breach, it is a serious concern that must be addressed,” said Sen. Ed Markey, D-Mass., in a statement (http://1.usa.gov/1emZbJ8). “These findings only underscore the need for retailers across industries to make their security safeguards iron-clad to ward off hackers prowling for Americans’ personal information.” Markey said he will continue to lobby for “strong privacy and security standards to protect consumers’ personal information.”