A revelation by Target showed its holiday data breach spanned far wider than originally expected, raising new questions about exactly how such an expansive hack took place.
The retailer said Friday that its investigation had uncovered an additional 70 million customers may have had their names, mailing addresses, phone numbers, and email addresses stolen. Previously, Target said the breach occurred on the terminals where customers swiped credit and debit cards, compromising certain financial information of 40 million shoppers between Nov. 27 and Dec. 15, 2013.
Friday's update, however, raises concern that the wider breach took place elsewhere in Target's customer infrastructure. Target first said the only information affected was stored in the magnetic strips on the back of customers' cards; a week later the retailer admitted customers' encrypted PIN data had also been obtained. But personal information about shoppers—such as names, addresses and telephone numbers—are not stored anywhere on a credit or debit card, according to bank and credit card officials interviewed by CNBC.
(Read more: Neiman Marcus: Hackers may have stolen card data)