BOSTON — Target Corp. said hackers have stolen data from up to 40 million credit and debit cards of shoppers who visited its stores during the first three weeks of the holiday season in the second-largest such breach reported by a U.S. retailer.
In terms of the speed at which the hackers were able to access large numbers of credit cards, the data theft was unprecedented. The operation was carried out over just 19 days during the heart of the crucial Christmas holiday sales season: from the day before Thanksgiving to this past Sunday.
Target, the third-largest U.S. retailer, said on Thursday that it was working with federal law enforcement and outside experts to prevent similar attacks in the future. It did not disclose how its systems were compromised.
Target did not detect the attack on its own, according to a person familiar with the investigation.
The retailer uncovered the breach after it was alerted its systems might have been compromised by credit card processors who had noticed a surge in fraudulent transactions involving credit cards that had been used at Target, according to the source, who was not authorized to discuss the matter.
For Target, the timing of the breach could not have been worse, coming just before three of the four busiest days of what has been a bruising holiday season for retailers, with the highest level of discounting in years. Target itself last month lowered its profit forecast for the year after disappointing sales in the third quarter.
Complaints from customers began to surface on social media as they learned of it early Thursday morning.
“Most of these attacks are just a cost of doing business,” said Mark Rasch, a former U.S. prosecutor of cyber crimes.
“But an attack that’s targeted against a major retailer during the peak of the Christmas season is much more than that because it undermines confidence.”
Investigators are still trying to understand how the attack was carried out, including whether hackers found a weakness at Target’s own computer network or through credit card services vendors. It was not immediately clear what percent of the transactions at its brick and mortar stores had been compromised but the company said its online business had not been affected.
The largest breach against a U.S. retailer, uncovered in 2007 at TJX Cos Inc., led to the theft of data from more than 90 million credit cards over about 18 months.
Since then, companies have gotten far more adept at identifying intruders. But criminals have responded by developing more-powerful attack strategies, spending months on reconnaissance to launch highly sophisticated schemes with the goal of extracting as much data as they can in the shortest period of time.
Target’s shares were down 2.2 percent at $62.13 on the New York Stock Exchange on Thursday afternoon, while the Standard & Poor’s 500 stock index fell 0.09 percent.
Target warned customers in an alert on its website that the criminals had stolen names, payment card numbers, expiration dates and security codes.
The company had identified the breach on Sunday and had begun responding to it the same day, Target spokeswoman Molly Snyder told Reuters on Thursday.
She declined to explain why the retailer waited until Thursday to alert customers about the breach.
Krebs on Security, a closely watched security industry blog that broke the news on Wednesday, said the breach involved nearly all of Target’s 1,797 stores in the United States.
The U.S. Secret Service is working on the investigation, according to an agency spokeswoman. A Federal Bureau of Investigation spokeswoman declined to comment.
Unhappy customers began to weigh in early on Thursday, posting complaints on Target’s Facebook page.
“Thank you Target for nearly costing me and my wife our identities, we will never shop or purchase anything in your store again,” said one posting.
“Shop at Target, become a target,” remarked another. “Gee, thanks.”
JPMorgan Chase & Co., one of the biggest U.S. credit card issuers, said it was monitoring the accounts involved for suspicious activity and urged customers to contact the bank if they noticed any.
MasterCard and Visa officials had declined to comment late on Wednesday, after news of the breach surfaced. An American Express spokeswoman said the company was aware of the incident and was putting fraud controls in place.
“This could hurt the end of the holiday season if for no other reason than many of their customers have to cancel cards ahead of holidays,” said Janney Capital Markets analyst David Strasser.
Target has been betting heavily that its REDcard private label debit and credit cards, launched in 2010, will help it win shoppers’ loyalty and give it an edge with its 5 percent automatic discounts. Last month, executives said the REDcards were used in 20 percent of sales in its stores last quarter, compared to 12 percent 18 months earlier. The REDcard also anchors a new subscription service Target is testing to compete with Amazon.com Inc.’s Prime delivery service.
The breach also comes at a time Target is trying to build its online business, which by some estimates is only 2 percent of sales.
“All consumers will hear is that Target is not a safe place to use your credit card. That impacts trust, which in turn can impact retail’s fastest-growing and most trust-sensitive touch points: online and mobile,” said Carol Spieckerman, president of retail strategy firm newmarketbuilders.
Beyond the lost sales, Target is also likely to incur other costs from the breach, according to Avivah Litan, a Gartner analyst who specializes in cyber-security and fraud detection. “The main victim is Target. They are going to pay for any fraud on the card,” she said. “They will get fined (by card issuers) for non-compliance with payment card security standards. Their merchant fee will probably go up a few basis points.”