Target (TGT) said a massive theft of credit and debit card data from its stores may have impacted 40 million accounts, one of the largest security breaches ever reported.
The discount retailer confirmed on Thursday that it’s aware of unauthorized access to payment card data between Nov. 27 and Dec. 15, at the start of the busiest shopping season of the year.
Target alerted authorities and financial institutions after it became aware of the breach and is partnering with a third-party forensics firm to investigate the theft, the company added.
According to a notice to customers on Target’s website, the theft targeted shoppers who made purchases using credit or debit cards in U.S. stores, not on the company’s website. The information that was stolen included customer names, card numbers, expiration dates and the CVV three-digit security code.
The Minneapolis-based retailer has 1,797 domestic locations, as well as 124 stores in Canada.
“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” Target chairman and CEO Gregg Steinhafel said in a statement. “We take this matter very seriously and are working with law enforcement to bring those responsible to justice.”
The U.S. Secret Service is investigating the incident, spokesman George Ogilvie told FOX Business.
Visa (V), the world’s largest payments network, said it works with companies when their systems have been breached to provide card issuers with comprised accounts. Card issuers can then “take steps to protect consumers through fraud monitoring and, if needed, reissuing cards.”
Most major card companies like Visa have zero liability policies that cover fraudulent purchases. Visa also noted that incidences of fraud involving compromised accounts are “actually rare,” and its own fraud rates are near historic lows.
A Mastercard (MA) spokesperson didn’t immediately respond to a request for comment.
Target shares were trading 2.1% lower at $62.17 on Thursday afternoon.
The industry has grappled with massive data thefts before. In 2007, T.J. Maxx and HomeGoods parent TJX (TJX) reported that thieves stole card numbers and personal data from as many as 90 million cards.
One of the latest breaches happened last year at Global Payments, an Atlanta-based payment processing company. Information from up to 1.5 million accounts was stolen.
The data breach at Target was first reported by the Krebs on Security website, which is operated by computer security expert Brian Krebs.
Alex McGeorge, a senior security researcher at Immunity Inc., said the theft of track data, or the information contained on a credit card’s magnetic strip, is an indication that the hackers compromised Target’s point-of-sale terminals.
The fact that Target’s website wasn’t affected also points to an attack on store terminals. “People have compromised those machines before,” he noted.
Based on the information provided by Target, McGeorge also said it’s safe to say a team of hackers was involved, and whatever method the thieves used was likely under testing for a while. One potential method would involve an insider planting malware on Target’s network, while the hackers could have also used an update utility to push malware to all terminals.
He explained that flat networks, in which most devices like computers and registers are connected, are more susceptible to wide-ranging attacks.
“On a flat network, once they’re on a computer, they can talk to 90% of the network,” McGeorge said.
“I’ve seen this with a lot with companies similar to Target,” McGeorge added, noting that it remains unclear what type of network Target has. “But the fact that they hit every store got us thinking in that direction.”
FOX Business Network’s Rich Edson contributed to this report.