MINNEAPOLIS – Target has confirmed it is aware of unauthorized access to almost 40 million of its customers' who used credit or debit cards in the last few weeks.
This only pertains to customers who shopped in stores in the U.S. and not those who made purchases online.
"Target is actually particularly sophisticated in information technology, and credit card information is usually the most secure at any merchant like Target, so this was probably bad luck or a really good hacker, " said William McGeveran, U of M Law Professor specializing in online privacy and security.
The Minnesota-based company says security breach happened between Wednesday, November 27 and Sunday, December 15.
Target says they alerted authorities and financial institutions immediately after they were made away of the situation. They also say the issue has been resolved at this time.
The United States Secret Service has already said they are investigating a credit and debit card data theft incident from Target stores.
"The Secret Service will confirm it is investigating the incident at Target," spokesman Brian Leary said in a telephone interview Wednesday night. "We don't have any further comment because it's an ongoing investigation."
The breach began around Black Friday, the day after Thanksgiving and the busiest shopping day of the year.
The breach involves the theft of information stored on the magnetic stripe on the backs of cards used at nearly all of Target's stores around the country, according to the Krebs on Security website, who first reported the news.
"Sometimes there will be an insider, some employee, who actually places malware in the system. Other times maybe they'll get access to the system by tricking an employee, getting an employee to click on a link in an email or something, but we really don't know what mechanism the hackers used to get in at this point," added McGeveran.
KrebsOnSecurity.com is the website of Brian Krebs, a national computer security expert and former Washington Post reporter.
Target is based in Minneapolis and has almost 1,800 stores in the United States and 124 in Canada, according to its website.
James Issokson, vice president of MasterCard communications, said in an e-mail to USA TODAY that a question regarding the potential breach "at this point is best directed to Target."
An expert with a global firm that helps companies respond to and mitigate breaches said while he could not address the Target situation specifically, many companies — large and small — are typically under-prepared when they face a breach.
Most important is that the potential breach be addressed quickly, to help get information out to those affected and to regulators, to bring in the right experts to address the breach (such as forensics experts who can stop cyber attacks) and to help preserve the public's trust in the company, said Mike Donovan, Global Focus Group Leader for Beazley Breach Response, headquartered in London.
"We see breaches across all sizes of companies," said Donovan, who is based in San Francisco. "You see the stories about the big ones in the news, but breaches are affecting companies all across the board."
Beazley recently responded to its 1000th breach and the company has seen a "significant number" of large breaches in the last four or five years, Donovan said.
It happens all the time, every day, with retailers, health care organizations, schools and other operations, he said.
"Any company that handles personal data is vulnerable," Donovan said.
The potential breach does not appear to involve online purchases, Krebs reports. It appears the type of data stolen would allow thieves to create counterfeit credit cards and, if pin numbers were intercepted, would also allow thieves to withdraw cash from ATM machines, according to Krebs.
Visa did not respond to e-mails or telephone messages left with its corporate office.
In a statement on Target's website Tuesday morning, the company says:
"Target's first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause," said Gregg Steinhafel, chairman, president and chief executive officer, Target. "We take this matter very seriously and are working with law enforcement to bring those responsible to justice."
Target Corp. said that customers who made purchases at its U.S. stores during the impacted period and suspected unauthorized activity should call them at 866-852-8680.
Target has 1,797 U.S. stores and 124 in Canada.