Target confirms massive credit-card data breach

Melanie Eversley and Kim Hjelmgaard | USA TODAY

Show Caption Hide Caption Target data breach could affect 40 million customers The Secret Service is investigating a potentially massive data breach involving credit and debit cards used at Target stores nationwide. The retailer says up to 40 million accounts may have been affected this holiday shopping season.

Breach involves information stored on magnetic stripe on back of cards

Situation appears to involve nearly all Target stores in the United States

Up to 40 million accounts affected%2C Target says

Target says that its stores have been hit by a major credit-card attack involving up to 40 million accounts.

Chief Executive Officer Greg Steinhafel confirmed Thursday morning earlier reports that a brazen data breach had taken place. In a statement, Steinhafel said: "Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue."

The retailer said that the unlawful access to customer information took place between Nov. 27 and Dec.15.

Earlier, the Secret Service confirmed to USA TODAY that it is investigating the massive data violation involving shoppers' personal credit-card information.

"The Secret Service will confirm it is investigating the incident at Target," spokesman Brian Leary said in a telephone interview Wednesday night. "We don't have any further comment because it's an ongoing investigation."

The breach began around Black Friday, the day after Thanksgiving and the busiest shopping day of the year.

The breach involves the theft of information stored on the magnetic stripe on the backs of cards used at nearly all of Target's stores around the country, according to the Krebs on Security website, who first reported the news.

KrebsOnSecurity.com is the website of Brian Krebs, a national computer security expert and former Washington Post reporter.

Target is based in Minneapolis and has almost 1,800 stores in the United States and 124 in Canada, according to its website.

James Issokson, vice president of MasterCard communications, said in an e-mail to USA TODAY that a question regarding the breach "at this point is best directed to Target."

An expert with a global firm that helps companies respond to and mitigate breaches said while he could not address the Target situation specifically, many companies — large and small — are typically under-prepared when they face a breach.

Most important is that the breach be addressed quickly, to help get information out to those affected and to regulators, to bring in the right experts to address the breach (such as forensics experts who can stop cyberattacks) and to help preserve the public's trust in the company, said Mike Donovan, Global Focus Group Leader for Beazley Breach Response, headquartered in London.

"We see breaches across all sizes of companies," said Donovan, who is based in San Francisco. "You see the stories about the big ones in the news, but breaches are affecting companies all across the board."

Beazley recently responded to its 1,000th breach and the company has seen a "significant number" of large breaches in the last four or five years, Donovan said.

It happens all the time, every day, with retailers, health care organizations, schools and other operations, he said.

"Any company that handles personal data is vulnerable," Donovan said.

The breach does not appear to involve online purchases, Krebs reports. It appears the type of data stolen would allow thieves to create counterfeit credit cards and, if pin numbers were intercepted, would also allow thieves to withdraw cash from ATM machines, according to Krebs.

Visa did not respond to e-mails or telephone messages left with its corporate office.

Kim Hjelmgaard contributed to this story from London