Target said Thursday that the credit and debit card information of as many as 40 million customers was compromised over three weeks of the holiday shopping season — one of the largest breaches ever of American consumer data.
Within hours, worried customers overwhelmed the site for Target’s own credit card and jammed a phone line that the company set up for people to call with concerns. Target said that it was working on the problem but had no estimate for when the site and phone number would work again.
The breach, which extended to almost all Target stores in the United States, captured data stored on the magnetic stripes of the cards that customers swipe at the cash register, according to Krebs on Security, a respected data security blog.
Krebs, which broke the story Wednesday, cited sources from two top card companies.
Target said that the information compromised included customer names, card numbers, expiration dates and the short verification codes known as CVVs — everything an attacker would need to create a counterfeit card.
The breach happened from Nov. 27, one day before Thanksgiving, through Dec. 15, a period that includes Black Friday and some of the busiest shopping of the calendar, Target said in a press release.
Investigators believe credit and debit card data was obtained via software installed on machines that customers use to swipe magnetic strips on their cards when paying for merchandise at Target stores, a source told Reuters.
Target said that it had alerted authorities and banks, and that the issue was “identified and resolved.” Still, it encouraged customers to look over their account statements and obtain credit reports. Target did not say how it might have happened.
“It is very clear it is a sophisticated crime,” Molly Snyder, a spokeswoman for the company, told Reuters.
At up to 40 million customers, the breach ranks among the biggest in U.S. corporate history. In 2007, the data of more than 45 million customers was stolen from stores including T.J. Maxx and Marshalls.
Last year, the Barnes & Noble bookstore chain said that someone had planted software in PIN pad devices at 63 of its stores in nine states to steal the data from magnetic card stripes. The company responded by taking PIN pad devices out of all its stores.
And in 2011, a hack exposed the credit card information of 100 million user accounts on the Sony PlayStation video game network.
Target, with almost $72 billion in U.S. sales last year, is the third-largest store in America, trailing only Walmart and the Kroger grocery store chain. Target has about 1,800 stores in the United States.
Krebs on Security reported that the breach hit only customers who shopped at physical Target stores, not online. The blog cited reliable sources familiar with the matter.
The information from magnetic stripes, known as “track data,” is valuable on the black market. It would allow criminals to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If PIN codes were also intercepted, that would allow criminals to withdraw the cash of unsuspecting customers from ATMs.
Krebs quoted an anti-fraud analyst at one of the 10 biggest bank-card issuers as saying that “we do see customers all over the U.S. that were victimized.”
Target said that its investigation includes working with a third-party forensics firm.
The company said that customers who made purchases at its U.S. stores during the three weeks in question should call them at 866-852-8680, or seek copies of their credit reports from the agencies Equifax, Experian and TransUnion.
“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence,” said Gregg Steinhafel, Target’s president and CEO.
“We regret any inconvenience this may cause,” he said. “We take this matter very seriously and are working with law enforcement to bring those responsible to justice.”
Data breaches are expensive for retailers. TJX Cos., which operates T.J. Maxx and Marshalls, paid $9.75 million in a settlement with states in June 2009, although the company said at the time that it believed it did not violate any consumer protection or data security laws.
The breach comes as retailers struggle to lure customers, cautious because of flat wages and an uncertain economic recovery, to stores during the holiday shopping season.
Recent surveys have already shown that online shopping could become the top choice for consumers this holiday season. Customers prefer the lower prices and the convenience of shopping at any time from home.
Mary Thompson of CNBC contributed to this report. Reuters also contributed.
First published December 19 2013, 9:07 AM