Target is grappling with a data security nightmare that threatens to drive off shoppers during the company’s busiest time of year.
The nation’s second-largest discounter said Thursday that data connected to about 40 million credit and debit card accounts was stolen as part of a breach that began over the Thanksgiving weekend.
The data theft marks the second largest credit card breach in the U.S. after retailer TJX Cos. announced in 2007 that at least 45.7 million credit and debit card users were exposed to credit card fraud.
Target’s acknowledgement came a day after news reports surfaced that the discounter was investigating a breach.
The chain said customers who made purchases by swiping their cards at terminals in its U.S. stores between Nov. 27 and Dec. 15 may have had their accounts
The stolen data includes customer names, credit and debit card numbers, card expiration dates and the three-digit security codes located on the backs of cards.
The data breach did not affect online purchases, the company said.
The stolen information included Target store brand cards and major card brands such as Visa and MasterCard.
The Minneapolis company, which has 1,797 stores in the U.S. and 124 in Canada, said it immediately told authorities and financial institutions once it became aware of the breach on Dec. 15. The company is teaming with a third-party forensics firm to investigate and prevent future breaches.
“A data breach is of itself a huge reputational issue,” said Jeremy Robinson-Leon, a principal at Group Gordon, a corporate and crisis public relations firm. He noted that Target needs to send the message that it’s rectifying the problem and working with customers to answer questions. He believes Target should have acknowledged the problem on Wednesday rather than waiting until early Thursday.
Target advised customers on Thursday to check their statements carefully. Those who see suspicious charges on the cards should report it to their credit card companies and call Target at 866-852-8680. Cases of identity theft can also be reported to law enforcement or the Federal Trade Commission.
“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” Chairman, President and CEO Gregg Steinhafel said in a statement Thursday.