Target says as many as 40 million in-store customers may have had their credit and debit card information compromised after a security breach in the retailer’s payment card systems between November 27 and December 15. The breach was limited to the retailer’s brick-and-mortar stores in the U.S.
Target says it is “working closely with law enforcement and financial institutions, and has identified and resolved the issue.”
“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” said CEO Gregg Steinhafel in a statement. “We take this matter very seriously and are working with law enforcement to bring those responsible to justice.”
According to reports in the Associated Press and the Wall Street Journal, the Secret Service is investigating.
The story was first broken by journalist and digital security expert Brian Krebs on his blog yesterday, citing sources at major credit card companies.
“The type of data stolen — also known as ‘track data’ — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe,” wrote Krebs. “It’s not clear how many cards thieves may have stolen in the breach. But the sources I spoke with from two major card issuers said they have so far been notified by one of the credit card associations regarding more than one million of cards total from both issuers that were thought to have been compromised in the breach. A third source at a data breach investigation firm said it appears that ‘when all is said and done, this one will put its mark up there with some of the largest retail breaches to date.'”
The incident recalls the massive breach that off-price retailer TJX Companies suffered, which came to light in 2007. TJX settled with Visa for $41 million later that year and for $9.75 million with 41 U.S. state attorneys general in 2009. Sixty-five million Visa account numbers and 29 million MasterCard account numbers were compromised. In August 2008, 11 people were indicted for their roles in hacking into TJX’s systems.