Target data breach may have affected 70M shoppers

And stolen info may include addresses, phone numbers, and email addresses

I know the holidays are dead and gone and we need to move on, but shit’s still going down at Target. In case you needed one more reason to do all of your holiday shopping exclusively online, it turns out a whopping 70 million customers may have been affected by the data breach. Previously, Target estimated some 40 million were affected—still an unsettlingly large number.

To make matters worse, Target revealed Friday morning that even more information may have been compromised, including names, mailing addresses, phone numbers, and email addresses. That’s in addition to stolen card numbers, PINs, and security codes.

Anyone who shopped at Target between November 27 and December 15 could have been affected. (Guess who shopped at Target during that time period. My debit card may have been compromised, forcing me to get a new one and change the card information for all of my online bills, but I walked out of there with a cute sweater.)

“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” said Target CEO Gregg Steinhafel, in a statement. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”

In an attempt to make it up to customers, Target is offering one year of free credit monitoring and identity theft protection for those who shopped at the store during that time period. Customers will have three months to sign up.

Target previously said that online shoppers were not affected by the data breach, which had something to do with compromised card swipers, so only those who shopped in-store at any U.S. Target location between November 27 and December 15 may have been affected. It’s not entirely clear whether that’s still the case, but we’ve reached out for more information and will update when we hear back.

Target updated its fourth quarter outlook in the same press release and revealed that while the company anticipates stronger-than-expected sales prior to the December 19 data breach announcement, sales likely dropped off immediately thereafter. Target said it expects “meaningfully weaker-than-expected sales” after the announcement, with a comparable sales decline of 2-6%.

The company expects further uncertainty in its GAAP EPS since it has no idea what kind of costs it’s facing in terms of reimbursements for credit card fraud and liability payments, Target REDcard fraud, civil litigation, government investigations, law enforcement proceedings, expenses for legal and investigative fees, and investments in remediation activities. In sum: there’s a big clusterf*ck of bills on the horizon.

Target has 1,797 stores in the U.S. and 124 stores in Canada, though it looks like only U.S. stores were affected. The company posted a profit of $1.6 billion on $51 billion in sales in the first nine months of 2013. Target originally expected to see a full-year EPS of $3.52.