US retail giant Target said about 40 million customers may have had bank card data compromised by hackers who broke into its database as holiday shopping got underway.
Target said on Thursday there had been “unauthorised access” to its payment system in US stores affecting credit and debit cards.
According to Target, hackers have stolen data from up to 40 million credit and debit cards of shoppers who visited its stores during the first three weeks of the holiday season in the second-largest such breach reported by a US retailer.
Target said it is working with law enforcement and financial institutions and “has identified and resolved the issue”.
“We take this matter very seriously and are working with law enforcement to bring those responsible to justice,” said chief executive Gregg Steinhafel.
In a separate communication to consumers on its website, the company recommended shoppers “remain vigilant for incidents of fraud and identity theft”.
“We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code),” Target said.
Target urged consumers to closely read their account statements and credit reports and to report suspicious activity to financial institutions.
Target is the US’ third-largest retailer after Wal-Mart Stores and Kroger, according to Stores Media, a part of the National Retail Federation.
The company had 1,778 stores in the US as of February 2013.
The timing of the breach could not have been worse for Target, coming just before three of the four busiest days of what has been a bruising holiday season for retailers, with the highest level of discounting in years.
“An obvious fear will be that the criminals will use the stolen data to create counterfeit credit and debit cards, and plunder customers’ bank accounts,” said independent security researcher Graham Cluley.
Target warned customers in an alert on its website that the criminals had stolen names, payment card numbers, expiration dates and security codes.
Krebs on Security, a security industry blog that broke the news on Wednesday, said the breach involved nearly all of Target’s 1,797 stores in the United States.
Customers began to complain early on Thursday via Target’s Facebook page.
“Thank you Target for nearly costing me and my wife our identities, we will never shop or purchase anything in your store again,” said one posting.
“Shop at Target, become a target,” remarked another.
Target’s Snyder said it had been getting an “extremely high” volume of calls from customers.
“This could hurt the end of the holiday season if for no other reason than many of their customers have to cancel cards ahead of holidays,” said Janney Capital Markets analyst David Strasser.
The breach also comes at a time Target is trying to build its online business, which by some estimates is only 2 percent of sales.