Target said Thursday that data on 40 million of its customers’ credit and debit card accounts may have been breached by cyber-crooks during the busy holiday season.
The Minneapolis retailer said the unauthorized access — which occurred between the Nov. 27 start of Black Friday weekend and Dec. 15 — may mean that criminals now have shoppers’ names, payment card numbers, expiration dates and three-digit security codes at their disposal.
The breach affects Target patrons who made purchases at U.S. stores, the company said.
The chain said it is working closely with law enforcement agencies and financial institutions, “putting all appropriate resources behind these efforts.”
The company also said it is partnering with a third-party forensics firm to investigate the situation.
In Wilson County, CedarStone Bank has taken action to safeguard its account holders who made purchases at Target by beginning to issue new debit cards.
“Our security team has gone through and located customers who have purchases from Target on their accounts, and we are contacting them to let them know they are being issued a new debit card,” said CedarStone Vice President of Business Development John Bryan.
Target said customers should now stay on the lookout for fraud and identity theft and contact their banks and the Federal Trade Commission if they notice anything suspicious. Shoppers were cautioned to regularly check their account statements and free credit reports; the chain even suggested setting up fraud alerts.
The breach was originally reported by the KrebsOnSecurity blog, which, citing anonymous sources, said that the data break-in extended to nearly all of Target’s 1,797 stores nationwide.
Black Friday is considered to be the top shopping day of the year in terms of revenue and traffic, according to research firm ShopperTrak. Many stores also opened on Thanksgiving this year and then extended doorbuster-type deals through the middle of December.
Target opened at 8 p.m. on the holiday and reported lines out the door at many of its stores.
The breach is already looking as if it may be one of the largest to date for a retailer. In 2007, T.J. Maxx and Marshalls parent company TJX Cos. said hackers had entered its computer systems and weren’t detected for more than a year.
TJX had about 50 million credit and debit card accounts on file. The company in 2009 agreed to pay $9.75 million to 41 states, including California, to settle an investigation of the breach.)
In a statement, Visa Inc. noted that the breach is “affecting all major card brands” but said that “because of advanced fraud-monitoring capabilities, the incidence of fraud involving compromised accounts is actually rare.”
Visa said that its cardholders are shielded from sham purchases with a zero-liability protection policy.
Tiffany Hsu of The Los Angeles Times contributed to this report via MCT.