Target Corp. said as many as 70 million customers had their data stolen during the holiday shopping season, significantly more than it previously announced. The company first estimated that about 40 million were victims of the data theft that occurred between Nov. 27 and Dec. 15 at stores nationwide.

Target spokesperson Molly Snyder said today that an ongoing investigation revealed that some customer information was stolen in addition to payment card data. In many cases, thieves received information including names, mailing addresses, email addresses and phone numbers.

Snyder added that customers affected by the security breach will have no liability for any fraudulent charges.

Chief Executive Gregg Steinhafel said in a statement, “I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this.”

The new numbers from the third-largest U.S. retailer have raised a few eyebrows, and critics say the company still doesn’t know the extent of the crime.

I think they still have no idea how big this is,” said David Kennedy, a former Marine Corps cyber-intelligence analyst who now runs the consulting firm, TrustedSec LLC. He told Reuters, “This is going to end up being much larger than 70 million and end up being the largest retail breach in history.”

As it stands, the largest known breach at a U.S. retailer was discovered in 2007. During that incident, information was stolen for more than 90 million credit cards over an 18-month period.