Target said hackers have stolen data from up to 40 million credit and debit cards of shoppers who visited its stores during the first three weeks of the holiday season in the second-largest such breach reported by a U.S. retailer.
The hackers worked at unprecedented speed, carrying out their operation from the day before Thanksgiving to this past Sunday, 19 days that are the heart of the crucial Christmas holiday sales season.
Target, the third-largest U.S. retailer, said on Thursday that it was working with federal law enforcement and outside experts to prevent similar attacks in the future. It did not disclose how its systems were compromised.
Target did not detect the attack on its own, according to a person familiar with the investigation.
The retailer was alerted its systems might have been compromised by credit card processors who had noticed a surge in fraudulent transactions involving credit cards that had been used at Target, according to the source, who was not authorized to discuss the matter.
The timing of the breach could not have been worse for Target, coming just before three of the four busiest days of what has been a bruising holiday season for retailers, with the highest level of discounting in years. Target itself last month lowered its profit forecast for the year after disappointing sales in the third quarter.
Complaints from customers began to surface on social media as they learned of it early Thursday morning.
"Most of these attacks are just a cost of doing business," said Mark Rasch, a former U.S. prosecutor of cyber crimes.
"But an attack that's targeted against a major retailer during the peak of the Christmas season is much more than that because it undermines confidence."
Investigators are still trying to understand how the attack was carried out, including whether hackers found a weakness at Target's own computer network or through credit card services vendors. It was not immediately clear what percent of the transactions at its brick and mortar stores had been compromised but the company said its online business had not been affected.