Giant US retailer Target said Friday that up to 110 million customers have had their personal data stolen in a data breach, sharply raising its initial estimate.
The number of people affected represented one in three Americans, and the scope of the information stolen was much broader than originally thought, Target admitted.
Target initially reported on December 19 that payment card data of some 40 million customers had been obtained by hackers during the year-end holiday shopping season.
The stolen information included credit and debit card data, customer names and PIN (personal identification data) numbers.
On Friday, Target said that its investigation had revealed that hackers also stole a second batch of data that included names, mailing addresses, phone numbers or email addresses for up to 70 million people.
"This theft is not a new breach; these are two distinct thefts as part of the same breach," a Target spokesman told AFP.
"The 70 million guests impacted by this new development are separate from the 40 million number that was previously shared."
Target chief executive Gregg Steinhafel said the company was "truly sorry" for the data breach.
Target said consumers would have "zero liability" due to any fraudulent charges arising from the theft. It offered one year of free credit monitoring protection.
Target is cooperating with an investigation led by the Justice Department and Secret Service. A group of state attorneys general have launched a parallel investigation aimed at protecting victims.
New York Attorney General Eric Schneiderman called the new disclosure "deeply troubling."
"Consumers in New York and around the country expect and deserve companies that protect their personal information when they shop on their websites and in their stores," Schneiderman said in a statement.
Target said the news of the data theft, which came at the peak of the Christmas shopping season, impacted sales in its stores.
It said it now expects fourth-quarter comparable store sales to decline 2.5 percent from its prior forecast of flat sales.
The company said it may need to take a charge for expenses related to the data breach to cover potential costs, including reimbursements for credit card fraud, liabilities from civil litigation, government investigations and enforcement proceedings.
Target shares shed 1.1 percent to $62.62 on Friday.
Explore further: Target: 40M card accounts may be breached (Update 2)