Target said Thursday the payment card information of about 40 million of its customers who shopped in stores during peak holiday shopping season was exposed during a security breach.
In a statement on its website, Target said the unauthorized access to credit and debit card data included customer names, credit or debit card numbers, expiration dates and three-digit security codes.
• MPR News: Beware: On a smaller scale, breaches happen every day
• Marketplace: Why Target shoppers shouldn't stress about hack
• Data breach: What the experts are saying
• FTC: Are you affected by the recent Target hack?
• More: Target stock and market performance
Target officials declined interview requests Thursday morning, though the company spent much of the day on social media responding to questions and criticism from thousands of angry consumers.
The security breach involves customers who purchased items at Target stores, but not the website, between Nov. 27 and Dec. 16.
Target urged customers to monitor their bank and credit card statements for errors and to check their credit reports for unauthorized activity.
The breach involves all credit and debit cards used at Target stores, including Target's popular REDcards, which provide customers with 5 percent discounts on most purchases.
Scott Mayer of Minneapolis shopped at Target on Thanksgiving night and suspects his credit card information was stolen.
He received an email from his credit card company on Tuesday asking him if he had made purchases at a Best Buy store in Seattle. Mayer called right away about the unauthorized purchase and his card was canceled.
"It was a surprise," Mayer said. "I had my credit card with me at all times and didn't even think that my credit card could have been compromised by stealing data from one of the retailers that I use."
Company officials said a "third-party forensics firm" had been tapped to investigate the incident and executives were working with law enforcement to find those responsible for the breach.
Target officials said the breach has been resolved and customers can continue shopping and using credit cards.
"Target's first priority is preserving the trust of our guests and we have moved swiftly to address this issue."
Target customers whose Visa credit cards were affected by the data breach will not have to pay for unauthorized purchases, said Visa spokeswoman Rosetta Jones.
"They are protected against fraudulent purchases with Visa's zero-liability protection," she added. "If they review their statements and notice any unusual activity, they should alert their financial institution and they will not be financially responsible for that purchase."
In the end, chances are there won't be a lot of fraudulent purchases made with stolen account numbers.
Payment card companies are very good at sniffing out crooked transactions fast, detecting purchases, for instance, that don't jive with a consumer's usual pattern, said David Robertson, publisher of the Nilson Report, which tracks the payment card industry. He says that just because a card number is stolen doesn't mean fraud will occur.
"The credit card companies --Visa, MasterCard, Discover and American Express-- are really, really good at fighting fraud," he said. "So, the actual fraud that will occur is pretty miniscule."
Better Business Bureau leaders also urged consumers to take a deep breath.
"First of all, if you used a credit card at Target in the past few weeks, don't panic," Carrie Hurt, CEO of the Council of Better Business Bureaus, said in a statement.
"You are not liable for any fraudulent charges on your account," Hurt noted.
On its website, the group has posted advice on how to make sure your card was not used fraudulently.
Target is just the latest retailer to be hit with a data breach problem. TJX Cos., which runs stores such as T.J. Maxx and Marshall's, had a breach that began in July 2005 that exposed about 46 million credit and debit cards to possible fraud. The breach wasn't detected until December 2006.
In June 2009 TJX agreed to pay $9.75 million in a settlement with multiple states related to the massive data theft but stressed at the time that it firmly believed it did not violate any consumer protection or data security laws.
An even larger hack hit Sony in 2011. It had to rebuild trust among PlayStation Network gamers after hackers compromised personal information including credit card data on more than 100 million user accounts. Sony was criticized for slowness in alerting users to the breach.
Depending on how damaging the breach is, many consumers could need new credit cards. That call will be up to card issuers. But replacing a card would not be without some hassles. For instance, consumers with automatic bill payments tied to affected credit cards would have to update their payment information.
Replacing debit cards would be more of a headache, said David Robertson, publisher of the Nilson Report, which tracks the payment card industry.
"You have to conceivably shut down your checking account. That's different than getting a new credit card number. Target has the public relations fiasco of having to tell all these debit card customer they didn't protect their data."
Robertson said that whoever is deemed responsible for the data breach will be fined by the card industry. The fine, which would be pegged to the cost of issuing new cards and otherwise resolving the problem could run into the tens of millions of dollars, he said.
That's not a lot of money for Target, which earned about $3 billion in its most recent fiscal year.
Jones, the Visa spokeswoman, said fraud accounts for just 6 cents of every $100 Visa cardholders spend, thanks to better technology that alerts customers, for instance, if their card has been used in another state or country.
"That's the technology working real-time to protect consumers and monitor for these anomalies. And because of that, the incidence of fraud, despite the magnitude of potential lost data, is actually really rare," she said.
"It's very rare to see charges that come a week or two weeks after a credit card has been stolen," said Heidi Moore, U.S. finance and economics editor for the Guardian newspaper.
"The thieves know that they're working with a ticking clock and that once people discover that the card is gone or the number has been stolen, they'll cancel it," she said.
Target Corp. stock closed down more than 2 percent Thursday. But such a relatively minor dip indicates Wall Street isn't very worried for now, at least, about the data breach hurting Target all that much financially.
While news of the breach may be causing turmoil for Target customers, it shouldn't do any long term damage to the corporation, analysts say.
The snafu could hurt short-term sales. But in the long-term "it means basically nothing" for Target, said Brian Yarbrough, a retail analyst with the Edward Jones investment firm. "Near-term though, the big risk is people get a little nervous about going there," he said. "Unfortunately, this is the busiest two shopping days we'll see --Saturday and Sunday -- before Christmas."
"This is a real blow," said retail analyst Howard Davidowitz. "I think it will hurt their sales to some extent. I think it's going to cost them money. It's going to affect their earnings. But mainly, it's going to impact their image."
Target has long strived to get customers to use its Target-branded credit and debit cards, offering shoppers five and sometimes ten percent discounts for using the cards. Of late, the cards have accounted for about a fifth of the retailer's sales. Morningstar retail analyst Ken Perkins says the data breach could put in crimp in that program's success.
"This certainly doesn't bode well for customers that may have been looking to get a REDCard," he said. "Now, they may have concerns about signing up for that."
The Associated Press contributed to this report.
Your support matters.
You make MPR News possible. Individual donations are behind the clarity in coverage from our reporters across the state, stories that connect us, and conversations that provide perspectives. Help ensure MPR remains a resource that brings Minnesotans together.