MINNEAPOLIS — Hackers gained access to as many as 40 million credit and debit cards used by customers of Target during the holiday shopping season, the company reported Thursday, in one of the biggest data breaches in history.
Customers who made purchases by swiping their cards at its U.S. stores between Nov. 27 and Sunday may have had their accounts compromised.
The stolen data included customer names, credit and debit card numbers, card expiration dates, and the embedded codes on the magnetic strips on back of the cards, Target said.
There was no indication the three or four-digit security numbers on the backs of cards were affected.
The breach did not affect online purchases, Target said.
Target has not disclosed how the breach occurred but said it has fixed the problem.
The breach highlighted vulnerabilities in the massive, interconnected shopping systems used for billions of dollars of retail transactions every day.
Customers at Target’s nearly 1,800 stores in the United States were potentially affected.
Consumers are not generally responsible for unauthorized purchases, but the scramble to cancel compromised cards and issue replacements threatens to cause disruptions as shoppers move into the final days of the most lucrative season of the retail year.
The Secret Service, which investigates financial fraud, is looking into the intrusion.
Major breaches in the past have drawn scrutiny and in some cases fines from federal and state officials when they determined companies did not adequately protect private customer information.
“Whatever money Target thought they were going to get during the holiday season just got flushed down the data-breach toilet,” said John Kindervag, an analyst and data security expert at Forrester, a research firm.
He estimated Target will have to spend at least $100 million to cover legal costs and to fix whatever went wrong.
Mr. Kindervag said the company will owe money to card brands, such as Visa and American Express, that must reimburse customers for fraudulent transactions.
Target, one of the nation’s largest retailers, also faces the risk of enduring damage to its reputation, analysts and consumer advocates said.
“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” said Gregg Steinhafel, Target’s chief executive officer.
“We take this matter very seriously and are working with law enforcement to bring those responsible to justice.”
Target said it notified law enforcement authorities and financial institutions after finding the breach. The company said it also has hired an outside forensics firm to investigate the incident and strengthen its systems.
The company declined to comment on how the intrusion happened, when it learned it had occurred, and what kind of encryption, if any, is used to protect consumer data.
Outside security experts said the information Target reported stolen is on the magnetic strips of debit and credit cards and could be used to create fraudulent cards.
The payment systems used in modern retailing are sprawling, with countless card readers in individual stores gathering data, transmitting them on internal corporate networks, and communicating with banks before approving purchases.
Hackers potentially could find weaknesses at any point in the system.