Target says that about 40 million credit and debit card accounts may have been affected by a data breach that occurred just as the holiday shopping season shifted into high gear.
Target Corp said data from about 40 million credit and debit cards might have been stolen from shoppers at its stores during the first three weeks of the holiday shopping season.
The data theft, unprecedented in its ferocity, took place over a 19-day period that began the day before Thanksgiving. Target confirmed on Thursday that it identified and resolved the issue on Dec. 15.There are no indications that the theft affected shoppers on Target's website.
"Target's first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence," Gregg Steinhafel, chief executive officer of Target, said in the statement.
Target said the breach, second-largest hack at a U.S. retailer, might have compromised accounts between Nov. 27 and Dec. 15, a period of nearly three weeks.
On Thursday, Target told customers in an alert on its website that the criminals had stolen customer names, payment card numbers, expiration dates and their CVV security codes."On December 15, we were able to identify an unauthorized access and we were able at that time to resolve the issue," Target spokeswoman Molly Snyder said by telephone.
Krebs on Security, a closely watched security industry blog that broke the news on Wednesday, said the breach involved nearly all of Target's 1,797 stores in the United States and investigators believed the data was obtained via software installed on point-of-sales terminals used to swipe magnetic strips on payment cards. The status of the 124 Canadian stores is not known.
It is not yet clear how the attackers were able to compromise point-of-sales terminals at so many Target stores. "It is very clear it is a sophisticated crime," Snyder said.
Target urged any customers who suspect they are affected by the data breach to call 866-852-8680.
'A sophisticated crime'
Though smaller than the breach disclosed in March 2007 by TJX Companies Inc, parent of apparel chains TJ Maxx and Marshalls, the data theft took place over a much shorter period and hit shoppers at the beginning of the U.S. holiday season.The data theft revealed by TJX took place over 18 months, affecting 45.7 million payment cards, according to the company. Banks later said in court documents that the hackers could have obtained more than 94 million account numbers in the TJX case.
The U.S. Secret Service is working on the investigation, according to an agency spokeswoman. A Federal Bureau of Investigation spokeswoman declined to comment.
"While this search for the truth is happening, the issue damages the trust Target have gained in mobile and calls into question how sales (will) trend in January," said Brian Sozzi, chief executive officer of Belus Capital Advisors.
Fraud controls implemented
MasterCard and Visa officials had declined to comment late on Wednesday, after news of the breach surfaced. An American Express spokeswoman said the company was aware of the incident and was putting fraud controls in place.
Target said it had alerted authorities and financial institutions immediately after it was made aware of the unauthorized access and that it was "putting all appropriate resources behind these efforts."
The company said it hired a forensics firm to investigate the incident.
Target's shares, which have risen 7.4 percent this year, closed at $63.55 on the New York Stock Exchange on Wednesday. The stock has largely underperformed the broader S&P 500 index, which has risen 27 percent this year.
Target Corp said data from about 40 million credit and debit cards might have been stolen from shoppers at its stores during the first three weeks of the holiday shopping season.
The data theft, unprecedented in its ferocity, took place over a 19-day period that began the day before Thanksgiving. Target confirmed on Thursday that it identified and resolved the issue on Dec. 15.There are no indications that the theft affected shoppers on Target's website.
"Target's first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence," Gregg Steinhafel, chief executive officer of Target, said in the statement.
Target said the breach, second-largest hack at a U.S. retailer, might have compromised accounts between Nov. 27 and Dec. 15, a period of nearly three weeks.
On Thursday, Target told customers in an alert on its website that the criminals had stolen customer names, payment card numbers, expiration dates and their CVV security codes."On December 15, we were able to identify an unauthorized access and we were able at that time to resolve the issue," Target spokeswoman Molly Snyder said by telephone.
Krebs on Security, a closely watched security industry blog that broke the news on Wednesday, said the breach involved nearly all of Target's 1,797 stores in the United States and investigators believed the data was obtained via software installed on point-of-sales terminals used to swipe magnetic strips on payment cards. The status of the 124 Canadian stores is not known.
It is not yet clear how the attackers were able to compromise point-of-sales terminals at so many Target stores. "It is very clear it is a sophisticated crime," Snyder said.
Target urged any customers who suspect they are affected by the data breach to call 866-852-8680.
'A sophisticated crime'
Though smaller than the breach disclosed in March 2007 by TJX Companies Inc, parent of apparel chains TJ Maxx and Marshalls, the data theft took place over a much shorter period and hit shoppers at the beginning of the U.S. holiday season.The data theft revealed by TJX took place over 18 months, affecting 45.7 million payment cards, according to the company. Banks later said in court documents that the hackers could have obtained more than 94 million account numbers in the TJX case.
The U.S. Secret Service is working on the investigation, according to an agency spokeswoman. A Federal Bureau of Investigation spokeswoman declined to comment.
"While this search for the truth is happening, the issue damages the trust Target have gained in mobile and calls into question how sales (will) trend in January," said Brian Sozzi, chief executive officer of Belus Capital Advisors.
Fraud controls implemented
MasterCard and Visa officials had declined to comment late on Wednesday, after news of the breach surfaced. An American Express spokeswoman said the company was aware of the incident and was putting fraud controls in place.
Target said it had alerted authorities and financial institutions immediately after it was made aware of the unauthorized access and that it was "putting all appropriate resources behind these efforts."
The company said it hired a forensics firm to investigate the incident.
Target's shares, which have risen 7.4 percent this year, closed at $63.55 on the New York Stock Exchange on Wednesday. The stock has largely underperformed the broader S&P 500 index, which has risen 27 percent this year.