Major U.S. discount retailer Target Corporation (NYSE:TGT) said on Thursday that information from 40 million credit and debit cards could have been stolen from its stores, over a period of more than two weeks, starting just days before Black Friday.

The Minneapolis-based company confirmed on Thursday that it is “aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its U.S. stores.”

About 40 million credit and debit card accounts “may have been impacted” from Nov. 27 to Dec 15, the company said. Authorities and finance institutions were alerted immediately after Target learned of the data breaches. An outside forensics firm will also help investigate the incident.

“We regret any inconvenience this may cause,”
Target CEO Gregg Steinhafel said in a statement. “We take this matter very seriously and are working with law enforcement to bring those responsible to justice.”

Information that could have been stolen includes customer names, card numbers, expiration dates and three-digit security codes on the back of cards, Target told shoppers in a letter on Thursday.

The company made clear that the breach only affected U.S. brick-and-mortar stores and not online sales or its Canadian stores. Target has almost 1,800 stores in the United States.

Target advised consumers to “remain vigilant for incidents of fraud and identity theft by regularly reviewing your account statements and monitoring free credit reports.” Shoppers who visited Target between those dates should check their account for suspicious or unusual activity.

The company said the issue has since been resolved, so that it’s safe for shoppers to visit Target’s U.S. stores again.

The Secret Service is also investigating the breach, according to the Wall Street Journal, though it doesn’t comment on ongoing investigations. The theft involved stealing the data stored on the magnetic strips on credit and debit cards. Hackers can sell the information on the black market to buyers who produce fake credit cards.

It’s not the biggest data breach in recent memory. The retail industry suffered a similar blow in 2007, when data on up to 90 million cards was stolen from shoppers of The TJX Companies, Inc. (NYSE:TJX), parent of T.J. Maxx, HomeGoods and other chains.





As for skeptical shoppers worried about their next trip to target, the company responded: “We continue to invest in our security practices to protect our guests’ information.” Target also operates a name-brand credit card, known as the REDcards. 13 percent of Target store sales were paid for with REDcards in 2012.

Counting data breaches as a risk in its 2012 annual report, Target wrote: “If we experience a significant data security breach … we could be exposed to government enforcement actions and private litigation.

“In addition, our guests could lose confidence in our ability to protect their personal information, which could cause them to discontinue usage of REDcards, decline to use our pharmacy services, or stop shopping with us altogether.”

The company said then that all data breaches in the past have been “insignificant,” implying that there may have been similar minor incidents. Target made $1.6 billion in profit on $51 billion in sales revenue in the nine months ending Nov. 2.

Target made an apology of sorts on Twitter early Thursday morning.



(Note: Target store front photo by