Target (NYSE:TGT) prepared for the kickoff to the lucrative holiday shopping season for months, but nothing could have prepared the retailer for this. According to Reuters, Target alerted customers on Thursday that data from about 40 million credit and debit cards might have been stolen from shoppers at its stores during the first three weeks of the holiday season, starting on the day before Thanksgiving.
The retailer said that it identified and resolved the issue on Sunday, and an investigation is currently underway. Following the announcement, Target’s shares fell as much as 3.2 percent before the opening of trading on Thursday.
According to Target’s alert, the data theft took place over a 19-day period that stretched from November 27 to December 15, three of Target’s busiest shopping weeks of the year. Target told customers that criminals had stolen customer names, payment card numbers, expiration dates, and their CVV security codes. Per Reuters, Krebs on Security, a security industry blog, reported that the breach affected nearly all of the retailer’s 1,797 stores in the United States.
Reuters reports that investigators believe the attackers involved in the crime employed software that can be installed on point-of-sales terminals used to swipe magnetic strips on payment cards. Investigators are still unsure how the attackers could have accessed the point-of-sales terminals at so many Target locations.
Target’s recent data theft is the second largest card breach a U.S. retailer has ever suffered, second only behind the breach disclosed in March 2007 by TJX Cos. Inc., the company that owns TJ Maxx and Marshalls. The data theft involving TJX took place over a much longer period — 18 months — and ultimately affected 45.7 million payment cards. Reuters reports that banks now believe criminals have obtained more than 94 million account numbers in 2007, and they could have accessed a lot more.
Target currently has the U.S. Secret Service working on its case, but it still faces the prospect of suffering the long-term effects of such a breach, because customers may now be leery about doing business with the retailer simply because a dark cloud has been cast over its name. Brian Sozzi, CEO of Belus Capital Advisors, said to Reuters, “While this search for the truth is happening, the issue damages the trust Target have gained in mobile and calls into question how sales trend in January.”
At a time when retail competition is tighter than ever, this security breach is the last thing Target needs, especially as it works to take advantage of the last two busy shopping weeks of the holiday season. Nonetheless, the retailer has no choice but to keep up with the investigation. The company told consumers on Thursday it had alerted authorities and financial institutions once it was made aware of the unauthorized access and was “putting all appropriate resources behind these efforts.”