Target Corp. said Friday a massive payment card data breach that occurred during the first three weeks of the holiday shopping season affected up to 70 million people, far more than previously estimated.
In a statement, Target said an ongoing forensic investigation showed that certain customer information in addition to payment card data was stolen during the data breach.
The investigation showed that the stolen information included names, mailing addresses, phone numbers and email addresses.
"I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this," Chief Executive Gregg Steinhafel said.
Target plans to contact customers whose information may have been compromised.
"Guests will have zero liability for the cost of any fraudulent charges arising from the breach," the company statement said. "To provide further peace of mind, Target is offering one year of free credit monitoring and identity theft protection to all guests who shopped our U.S. stores."
- PHOTOS: What's Brewing in Steamy Hallows, the Harry Potter-Inspired Cafe19 Pictures
- PHOTOS: Frida Kahlo at the Brooklyn Museum doesn't hold back23 Pictures
The data breach was originally disclosed in mid-December, with the company estimating information from 40 million credit and debit cards was stolen between Black Friday and Dec. 15.
Several lawsuits have been filed, with attorney generals from several states demanding more information from Target and consumer advocates calling for more secure payment systems.
Friday's news raised concerns that Target had not yet fully grappled with the extent of the data breach.
"I think they still have no idea how big this is," said David Kennedy, a former U.S. Marine Corps cyber-intelligence analyst who runs his own consulting firm, TrustedSec LLC.
"This is going to end up being much larger than 70 million and end up being the largest retail breach in history," said Kennedy, who has experience investigating retail breaches.
The largest known breach at a U.S. retailer, uncovered in 2007 at TJX Cos. Inc, led to the theft of data from more than 90 million credit cards over about 18 months.