Target Corp. said hackers have stolen data from up to 40 million credit and debit cards of shoppers who visited its stores during the first three weeks of the holiday season in the second-largest such breach reported by a U.S. retailer.
In terms of the speed at which the hackers were able to access large numbers of credit cards, the data theft was unprecedented. The operation was carried out over just 19 days during the heart of the crucial holiday sales season, which ran from the day before Thanksgiving to this past Sunday.
Target did not detect the attack on its own, according to a person familiar with the investigation.
The retailer uncovered the breach after it was alerted its systems might have been compromised by credit card processors who had noticed a surge in fraudulent transactions involving credit cards that had been used at Target, according to the source, who was not authorized to discuss the matter.
For Target, the timing of the breach could not have been worse, coming just before three of the four busiest days of what has been a bruising holiday season for retailers, with the highest level of discounting in years. Target itself last month lowered its profit forecast for the year after disappointing sales in the third quarter.
Investigators are still trying to understand how the attack was carried out, including whether hackers found a weakness at Target’s own computer network or through credit card services vendors. It was not immediately clear what percent of the transactions at its brick and mortar stores had been compromised but the company said its online business had not been affected.
The U.S. Secret Service is working on the investigation, according to an agency spokeswoman. A Federal Bureau of Investigation spokeswoman declined to comment.