Target Corp. is investigating a massive customer data breach that may have affected up to 40 million credit and debit cards of holiday-season shoppers at stores nationwide between Nov. 27 and Dec. 15.
The news was first reported late Wednesday by security columnist Brian Krebs on his website Krebsonsecurity. He said the breach involved magnetic stripe "track data" containing private customer information.
The data allow thieves to create counterfeit cards, and if PIN numbers for debit cards were also intercepted, those phony cards could be used to withdraw cash from ATMs.
Krebs reported the breach extends to nearly all Target locations nationwide. Target has nearly 1,800 U.S. stores.
Krebs advises shoppers to carefully watch their credit card statements for bogus charges. He said they should notify the bank that issued their cards in order to prevent being liable for any fraud.
The Minneapolis-based retailer confirmed the report in a statement, noting, "Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue." Among other actions, "Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident."
“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” Gregg Steinhafel, chairman, president and chief executive officer, Target, said in the statement.
The New York Times reports the Secret Service is among the agencies investigating the breach that began two days before Black Friday, the traditional kickoff for the holiday shopping season.
The Times notes that a similar breach of point-of-sale systems affected Barnes & Noble stores last year. Shoppers at 63 Barnes & Noble stores nationwide were affected, the newspaper notes.
American Express and Discover officials said they were "aware" of the incident and had fraud controls in place, CNN reported. A Master Card spokesman told USA Today that a question about the breach "at this point is best directed to Target."
Krebs noted that there are no indications yet that the breach affected customers who shopped at Target's online stores.
Twin Cities retail analyst Jim McComb told the Pioneer Press, "Presuming this is all true, it's probably one of the most serious things you can have happen, because it affects not only your store operations, it affects the lives and financial security of your customers."
McComb added the big worry is about any stolen data, but there's also the hassle of losing access to a credit or debit card during the busiest shopping week of the year.
It remains to be seen if the news will hurt Target sales in the final run-up to Christmas, the Star Tribune notes. The newspaper also notes that the biggest credit card breach at a U.S. retailer is believed to have been in 2007, when the parent company of TJ Maxx and Marshalls reported 45.7 million cards had been stolen by hackers over 18 months.
The Christian Science Monitor has the top 5 worst data breaches in terms of actual cost.
A sampling of reaction from the Twittersphere: