Payment data for around 40 million customers may have been compromised in a security breach, Target reported Thursday.
The company said in a statement that data was accessed for customers who paid via credit or debit cards at Target stores between Nov. 27 and Dec. 15 – a time when many Americans do the bulk of their holiday shopping. The time period affected starts just two days before Black Friday and ended early this week. Target said in a statement that compromised information included customer names, credit or debit card numbers, card expiration dates and card verification value numbers.
"We began investigating the incident as soon as we learned of it," the company said in a letter to customers posted on its corporate website. "We are partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident and to examine additional measures we can take that would be designed to help prevent incidents of this kind in the future."
Investigators believe that software installed on card-swipe machines at Target stores collected the data, Reuters reports. That information could allow thieves to create counterfeit cards. If the people responsible were able to obtain PIN information, writes security blogger Brian Krebs, that could also allow thieves to withdraw money from ATMs.
The company said it alerted authorities and banks immediately upon learning of the breach and added that it is committing its "full resources" to the investigation.
"Target's first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause," said Target CEO Gregg Steinhafel in a statement. "We take this matter very seriously and are working with law enforcement to bring those responsible to justice."
The company advised customers who believe their information has been accessed to call 866-852-8680. Target also advised customers to check their account statements and credit reports.