As previously discussed here, Target suffered a massive data breach that compromised the credit and debit cards of many of its customers. Now that the dust has started to settle, the extent of the breach is becoming clearer. In December, Target announced that 40 million credit and debit card numbers were stolen in this hack. Further investigation has uncovered that hackers also obtained the “names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.” While there is probably some overlap between the two groups, Target says that it still does not know the extent of that overlap or the ultimate scope of the breach.
Target’s breach is believed to be the second largest in history for a retailer, affecting about one third of American adults. Experts report that shortly after the breach, the stolen information began flooding into the black market. Consumer saw the news and stayed away in droves; the company’s sales declined significantly after its initial breach announcement in December.
Class action lawsuits have already been filed against Target on behalf of affected consumers in a number of states, including California, Massachusetts, Minnesota, Ohio, and Utah. There is, however, skepticism as to whether these class actions will amount to anything, because of the lack of actual harm to most customers; such harm is required to demonstrate standing under the recent Supreme Court decision, Clapper v. Amnesty International USA (“We hold that respondents lack Article III standing because they cannot demonstrate that the future injury they purportedly fear is certainly impending and because they cannot manufacture standing by incurring costs in anticipation of non-imminent harm.”)