Target on Friday extensively revised the number of customers whose personal information was stolen in a widespread data hack during the holiday season, bringing the total to a possible 110 million people from 70 million.
The stunning figure represents about a third of all American adults at the low end and is nearly three times the company’s original estimate at the upper end. The scope of the theft is now rivaling the largest theft ever of retail data.
Not only did Target’s announcement Friday disclose a vastly expanded universe of credit and debit theft victims, but it revealed that the hackers stole a broader trove of data than originally reported.
The company now says that other kinds of information were taken, including mailing and email addresses, phone numbers and names.
Target still has not explained how hackers accessed the data, saying it remains under investigation.
Target initially confirmed reports on Dec. 19 that payment data from about 40 million in-store customers was stolen between Nov. 27 and mid-December.
But as its investigation into the theft continued, the company said it found that an additional store of data collected over time on 70 million people had been hacked as well.
Although there could be overlap between the two groups of customers, the latest subset of potential victims includes customers who may not have shopped at Target during the holiday period.
Ever since news broke of Target’s security breach in the final days of the holiday season, credit card companies and banks have been issuing warnings about potential fraud to their customers and providing them with new cards and account numbers as a precaution.
Some banks have even limited cash withdrawals. As banks and companies continue to monitor customers’ accounts for suspicious activity, the Secret Service and the Justice Department have opened an investigation.
The company apologized yet again for the broadening security violation of its customers’ privacy.
“I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this,” Gregg Steinhafel, the Target chief executive, said in a statement.
Molly Snyder, a Target spokeswoman, said that the data from customers included information gleaned through the normal course of business – when a person uses a call center and provides a phone number, for example, or volunteers an email address while shopping online.
Snyder conceded that the number of customers exposed could still grow.
The latest developments come as Target said that just this week it was starting to see sales recover from the crisis.
The company, however, cut its earnings outlook for the quarter that covers the crucial holiday season and warned that sales would be down for the crucial period.
But with the latest news, some analysts believe the breach could be a financial drag on the company for several more quarters.
“Target is in a critical situation with consumers because its credibility and brand loyalty are being questioned,” said David E. Johnson, CEO of Strategic Vision, LLC, which specializes in crisis communications.
“Right now, investors think Target can weather the storm. But the longer it gets worse, the worse it is for Target.”
Meanwhile, the attorney general from New York announced that it is participating in an investigation into the security breach. Attorney General Eric T. Schneiderman called the latest news “deeply troubling.”
Snyder, the Target spokesman, said that she didn’t have new details to share about how the data breach was conducted.
The theft from Target’s databases could potentially be the largest data breach on record, surpassing an incident uncovered in 2007 that saw more than 90 million credit card accounts pilfered from TJX Cos. Inc.
Target investors have been largely unmoved by the company’s disclosures. Target’s stock, while volatile, has traded at about $63 since news of the breach leaked on Dec. 18. It slipped just 80 cents, or more than 1 percent, to $62.54 in trading Friday.
But some observers believe the stock could get battered if consumers stay away from Target stores.
Several Wall Street analysts downgraded their earnings forecasts for the retailer Friday.
Colleen McCarthy, 26, of Cleveland, Ohio, is among those who are avoiding Target.
McCarthy used her Chase debit card at a local Target on the Friday after Thanksgiving and received a notice from Chase a few days after news of the breach first broke.
The letter identified her as a potential victim of the Target breach but said, “don’t worry.” At the time, she was only somewhat concerned.
But Monday night McCarthy received a call from Chase, alerting her that someone tried to use her debit account twice in Michigan.
The thief cleared $150, which caused her rent check to bounce. Chase restored the money to her account. “This has been a nightmare,” she said. “My rent check bounced. My debit card had to be canceled. And who’s to say what other people have access to my information?”
The Associated Press contributed to this report.