With Secret Service agents in Minneapolis investigating the extent of the fraud, Javelin Strategy & Research, a consulting firm, estimates the total damage to banks and retailers could exceed $18 billion. Consumers could be liable for more than $4 billion in uncovered losses and other costs. Investigators also say they believe that the invasive hack at Target was part of a broader campaign aimed at least half a dozen major retailers. So far, one other retailer, Neiman Marcus, has said that its system was breached at the in-store level, not through online shopping, and people with knowledge of the investigations have been reluctant to discuss whether the two are related.

Image Mandiant’s founder and chief executive, Kevin Mandia. Credit... Jacquelyn Martin/Associated Press

Investigators have seen some malicious software similar to that installed at Target in recent years, but they described the design of this malware on point-of-sale systems as particularly wily. The coding was written in a way that was adaptive and persistent.

Grabbing Data

Once installed, the hackers’ malware snatched customers’ data — directly off the card’s magnetic strips of credit and debit cards — that is normally sent for processing to banks and credit card companies. The stolen data was then lifted and stored on an infected server inside Target, awaiting an order from the criminals. The coding was easily manipulated so that it could receive instructions from its handlers in real-time, changing at their command.

Four miles from Target’s headquarters in Minneapolis and more than a week before the public learned of the data breach, Patrycia Miller looked at the bill for the American Express account she and her husband used in their dog day care business.

The usual charges appeared, including some from Target, where they shop a couple of times a week. But a few stood out — a membership fee to Match.com and a $1,291.58 plane ticket on South African Airways from Lagos, Nigeria, to Johannesburg and Nairobi, Kenya.

She asked her husband what he was up to.

Puzzled, Mr. Miller assured her he had not signed up for an online dating service and had not booked an African flight — “Not for that price,” he said.

American Express swiftly credited their account and issued new cards.

But it wasn’t until Target confirmed the breach on Dec. 19 that the Millers learned what had happened.