On Thursday, Target said that hackers gained access to as many as 40 million credit and debit cards used by its customers over three weeks of the holiday shopping season — one of the largest breaches ever of American consumer data.
Company officials offered few details on the intrusion, which reportedly began the day before Thanksgiving and lasted until Sunday this week.
Customers at Target’s nearly 1,800 stores in the United States were potentially affected, though those who shopped online were not, the company said.
The stolen data includes customer names, credit and debit card numbers, card expiration dates and the three-digit security codes located on the backs of cards. The data breach did not affect online purchases. Target said there is no indication that PIN numbers were taken in the data breach.
Outside security experts said the information that Target reported stolen is contained on the magnetic strips of debit and credit cards and could be used to create fraudulent new cards.
Target said it notified law enforcement authorities and financial institutions after discovering the breach. The company said it also has hired an outside forensics firm to investigate the incident and strengthen its systems.
Target didn’t say exactly how the data breach occurred, but said it had since fixed the problem and that credit card holders can continue shopping at its stores.
“Whatever money Target thought they were going to get during the holiday season just got flushed down the data-breach toilet,” said John Kindervag, an analyst and data security expert at Forrester, a research firm. He estimated that Target will have to spend at least $100 million to cover legal costs and to fix whatever went wrong.
Kindervag said the company will owe money to card brands, like Visa and American Express, that have to reimburse customers for fraudulent transactions. Target, based in Minneapolis and one of the nation’s largest retailers, also faces the risk of enduring damage to its reputation, according to analysts and consumer advocates. Company stock was down more than 2 percent on a generally flat day on Wall Street.