The Minneapolis-based retailer announced Friday the theft included a theft of guest information -- separate from the in-store sales data -- that may affect as many as 70 million customers.
Target said the data stolen includes names, addresses, phone numbers and email addresses, and may have been accessed regardless of whether the customer shopped at Target between November 27 and December 15, when the breach took place.
The total number of customers affected was unclear, as some of those whose data was accessed in this way may overlap with the 40 million whose information was stolen from in store point-of-sale systems.
"This theft is not a new breach, but was uncovered as part of the ongoing investigation," the company said, in a statement that included the announcement Target would provide credit monitoring and identify theft protection for all impacted customers.
"Guests will have zero liability for the cost of any fraudulent charges arising from the breach," the statement read. "To provide further peace of mind, Target is offering one year of free credit monitoring and identity theft protection to all guests who shopped our U.S. stores."
The company said it would provide additional details on how to sign up next week, and that it would work to contact any customers for whom it had an email address.
“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” said Gregg Steinhafel, chairman, president and chief executive officer, Target. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”