In yet another disturbing revelation about its massive data breach, Target said Friday that 70 million to 110 million customers were victimized -- far more than it initially disclosed -- potentially making the attack among the worst ever.

The company first reported that thieves stole the credit and debit card information of 40 million customers. On Friday, Target said the names, phone numbers and home and email addresses of a separate group totaling 70 million people were taken, which experts said could heighten the risk of customers' card numbers being used fraudulently.

While there could be overlap between the two groups, the retailer confirmed that "up to 110 million" people may have been victimized.

The expanding scope of the disclosures also illustrates another disturbing element in many cyberattacks: Not only do companies have trouble preventing them, they often have trouble fully understanding just what was stolen.

That's largely because they refuse to spend what's needed to keep hackers at bay, said security expert Philip Lieberman of Lieberman Software.

"They don't care," he said. "They've made a calculated decision that it's cheaper to take this hit than to implement the systems to fix it. I've had this conversation with CEOs of many large retailers."

Andreas Baumhof, chief technology officer at security firm ThreatMetrix, was similarly critical, declaring, "the state of corporate security is a joke."

Indeed, the prestigious Ponemon Institute reported in November that in a survey of more than 2,000 officials in charge of security at U.S. and other organizations, one-third couldn't say for sure if they'd been targeted by a cyberattack in the previous 12 months.

The information stolen in Target's Friday revelation already is being peddled online along with the card data, said Gary Steele, CEO of Sunnyvale security firm Proofpoint.

"We're seeing it collectively being sold," he said. "It's amazing how fast this all happens."

There is still a significant amount of confusion surrounding Target's latest disclosure.

While investigating the stolen debit and credit card information, the discount retailer said it found that customer information -- "separate from the payment card data previously disclosed -- was taken during the data breach. ... The stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals."

Target spokeswoman Sarah Van Nevel said those 70 million customers "are separate from the 40 million" previously reported. But in response to media reports that some Target customers could have been in both groups, she added that the total number of victims "could be up to 110 million."

An estimated 130 million credit card numbers were pilfered in a 2009 attack on card processor Heartland Payment Systems. Among retailers, the biggest theft occurred in 2007 when crooks stole 90 million card records from TJX, the parent company of T.J. Maxx.

It's also unclear when the latest 70 million victims shopped at Target. Although the company said thieves stole the 40 million credit and debit card numbers from Nov. 27 to Dec. 15, some newspapers reported that the rest of the affected customers may have shopped at other times.

Asked about that, Van Nevel said, "I can't share anything additional beyond telling you this information was collected during the normal course of business."

Target's disclosures have been especially troubling because they keep getting worse. Besides underestimating how many customers were affected, the company initially said it had no evidence the crooks stole debit card PIN numbers, potentially enabling them to steal the customers' money from ATM machines. But eight days later, it said "strongly encrypted PIN data was removed."

Although Target said its customers "will have zero liability for the cost of any fraudulent charges arising from the breach," security experts warned that Friday's disclosure about the additional stolen information makes it more likely crooks will try to defraud those customers.

They especially may go after Target customers who order new credit or debit cards because of the breach, Lieberman said. He expects crooks -- using the stolen names and email addresses -- to send the customers emails posing as their card-issuing companies and asking for other information that could be used to make fraudulent purchases with the card numbers.