Target says information from approximately 40 million of its customer credit and debit cards swiped in stores may have been compromised by a data breach during the height of the holiday shopping season.
The data breach occurred between Nov. 27 and Dec. 15, 2013, at U.S. stores, Target said in a statement this morning. Target said it immediately contacted authorities and financial institutions once it became aware of the breach. The Minneapolis based-company said it was teaming with a third-party forensics firm to investigate the breach.
"Target's first priority is preserving the trust of our guests, and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause," said Gregg Steinhafel, chairman, president and chief executive officer. "We take this matter very seriously and are working with law enforcement to bring those responsible to justice."
The U.S. Secret Service is investigating but declined to provide further details.
Brian Krebs, who first broke the story for KrebsOnSecurity.com Wednesday, said the breach couldn't have come at a worse time for shoppers and Target.
"I can't think of another day in the calendar when target or anyone else could expect to have more people in stores. More deals, traffic, more swipes -- perfect day to launch an attack," Krebs told ABC News.
Krebs said the breach involved the data stored on the magnetic strip of cards used only in stores and not online. The breach, said Krebs, may extend to nearly all of the 1,797 Target stores nationwide.
"The information that's stored on the magnetic strip -- name, card number, expiration date, other info -- if bad guys can steal that card ... they can actually create a second copy," Krebs said.
If thieves can create a second copy and were able to intercept a PIN number, that could allow them to withdraw money from ATMs, said Krebs.
Customers who may have been affected should pay extra attention to their debit and credit card statements, said Krebs.
"Advice to customers -- be vigilant, pay attention to your statement if something doesn't look right," Krebs cautioned. "Whether or not you feel like you might be impacted by this breach, it's a really good idea, particularly around this time of year, to pay attention to what's on your debit and credit card statements."
While consumers will likely be reimbursed for any fraudulent charges, the refund might not come until after Christmas, creating another headache for shoppers.
- Brian Krebs