(Reuters) – Target Corp said data from about 40 million credit and debit cards might have been stolen from shoppers at its stores during the first three weeks of the holiday season, in the second-largest card breach at a U.S. retailer.
The data theft, unprecedented in its ferocity, took place over a 19-day period that began the day before Thanksgiving. Target said on Thursday that it identified and resolved the issue on December 15.
The company’s shares fell as much as 3.2 percent before the bell.
Though smaller than the breach disclosed in March 2007 by TJX Companies Inc, parent of apparel chains TJ Maxx and Marshalls, the data theft took place over a much shorter period and hit shoppers at the beginning of the U.S. holiday season.
Target said the breach might have compromised accounts between November 27 and December 15, a period of nearly three weeks.
The data theft revealed by TJX took place over 18 months, affecting 45.7 million payment cards, according to the company. Banks later said in court documents that the hackers could have obtained more than 94 million account numbers in the TJX case.
On Thursday, Target told customers in an alert on its website that the criminals had stolen customer names, payment card numbers, expiration dates and their CVV security codes.
“On December 15, we were able to identify an unauthorized access and we were able at that time to resolve the issue,” Target spokeswoman Molly Snyder said by telephone.
Krebs on Security, a closely watched security industry blog that broke the news on Wednesday, said the breach involved nearly all of Target’s 1,797 stores in the United States and investigators believed the data was obtained via software installed on point-of-sales terminals used to swipe magnetic strips on payment cards.
It is not yet clear how the attackers were able to compromise point-of-sales terminals at so many Target stores. “It is very clear it is a sophisticated crime,” Snyder said.
The U.S. Secret Service is working on the investigation, according to an agency spokeswoman. A Federal Bureau of Investigation spokeswoman declined to comment.
“While this search for the truth is happening, the issue damages the trust Target have gained in mobile and calls into question how sales (will) trend in January,” said Brian Sozzi, chief executive officer of Belus Capital Advisors.
MasterCard and Visa officials had declined to comment late on Wednesday, after news of the breach surfaced. An American Express spokeswoman said the company was aware of the incident and was putting fraud controls in place.
Target said it had alerted authorities and financial institutions immediately after it was made aware of the unauthorized access and that it was “putting all appropriate resources behind these efforts.”
The company said it hired a forensics firm to investigate the incident.
Target’s shares were down 1.7 percent an hour before the market was due to open.
The shares, which have risen 7.4 percent this year, closed at $63.55 on the New York Stock Exchange on Wednesday. The stock has largely underperformed the broader S&P 500 index, which has risen 27 percent this year.