NEW YORK - Target Corp., the second-largest U.S. discount chain, said Thursday that data for about 40 million debit and credit cards may have been wrongfully accessed in recent weeks and that law enforcement is investigating the matter.
The data was breached between Nov. 27 and Dec. 15, the Minneapolis-based company said in statement. Target said it alerted authorities and financial institutions immediately and has now identified and resolved the issue. The Secret Service said Wednesday that it was probing the incident, and the company said it's working closely with law enforcement to bring those responsible to justice.
Target's challenges come as U.S. retailers gear up for the end of the holiday shopping season, which ShopperTrak predicts will be the slowest since 2009. The last thing Target needs right now as rivals pour on the discounts in a last-ditch grab for market share is for its customers to wonder if they should use their cards, said Ken Perkins, an analyst for Morningstar Inc. in Chicago.
"The timing could be a concern, especially only a few days before Christmas," he said in an interview.
The breach came after the chain had already cut its annual forecast for same-store sales growth to 1 percent from as much as 2.5 percent in August. Doubts about its security could reduce purchases and the number of people signing up for a REDcard, its in-house credit and debit cards, Perkins said. Those card holders are the retailer's biggest spenders, he said.
"The longer-term risk is that people remember this who were going to sign up for a REDcard and don't," Perkins said.
Online shoppers at Target.com might be spooked too, given that a link across the top of the site Thursday read: "important notice: unauthorized access to payment card data in U.S. stores."
"Target's first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence," Gregg Steinhafel, chief executive officer of Target, said in the statement.
Brian Leary, a spokesman for the Secret Service in Washington, confirmed the agency is probing the matter while declining to comment further because the investigation is under way.
While the agency is best known for protecting the president, it was created in 1865 to fight currency counterfeiting. That role was expanded over the years to include certain kinds of fraud, including identity theft, electronic crime and computer intrusion. The service was part of the U.S. Treasury until 2003, when it was one of the agencies brought into the newly-created Department of Homeland Security.
Data breaches have hit other retailers. TJX Cos., owner of the T.J. Maxx and HomeGoods chains, reported in 2007 that hackers broke into its computer system and stole about 45.7 million credit- and debit-card numbers. The theft set a record at the time for such breaches.
In July, four Russians and a Ukrainian were charged in what prosecutors called the largest hacking scheme in U.S. history, a break-in to computers of retail chains that included 7-Eleven, Carrefour and Wet Seal.
KrebsOnSecurity, a blog written by Brian Krebs, a former Washington Post reporter, first reported that Target was investigating a breach potentially involving millions of customer card records, citing sources at two credit-card issuers.
The site also reported that Target customers had already been victimized. Molly Snyder, a spokeswoman for Target, declined to comment, citing the investigation. She also wouldn't comment on when Target first learned of the breach and where it took place in the transaction process.