Target Corp. warned that last year's massive security breach could have been more extensive than reported so far.
"Our investigation of the matter is ongoing and it is possible that we will identify additional information that was accessed or stolen, which could materially worsen the losses and reputational damage we have experienced," the company said in its 10-K annual report filed with the Securities and Exchange Commission on Friday.
The company has so far said that some 40 million payment card records were stolen along with 70 million other customer records during a massive cyberattack over the holiday shopping season.
For example, the SEC filing noted that when the company initially identified the intrusion in mid-December investigators believed the information stolen was limited to some 40 million payment card records. They later discovered that another 70 million pieces of customer data had been taken.
The Minneapolis-based retailer has previously warned that news of the breach has damaged its reputation, causing some customers to stay away and hurting sales.
Target executives are unsure how long it might take to restore the company's reputation, the filing said. "We cannot predict the length or extent of any ongoing impact to sales."
When the company reported quarterly results on Feb. 26, it said customer traffic had started to improve this year after falling significantly on news of the cyberattack, which surfaced in mid-December.
Congress is investigating the breach along with potential lapses at other retailers, and credit card companies are pushing for better security.
Target faces dozens of class actions and potential action from banks seeking reimbursement for millions of dollars in losses due to fraud and the cost of card replacements.