In a statement, Target said that criminals gained access to its customer information on Nov. 27 — the day before Thanksgiving and just ahead of one of the busiest shopping days of the year — and maintained access through Dec. 15.
“As of Dec. 15, we identified an unauthorized access and were able to resolve the issue,” Molly Snyder, a Target spokeswoman, said in an email.
A security blogger, Brian Krebs, first reported the breach on Wednesday.
Target said that criminals had stolen customer names, credit or debit card numbers, expiration dates and three-digit security codes for 40 million customers who had shopped at its stores. The company noted that online customers were not affected by the breach, which appeared to have been isolated to the point-of-sale systems in Target’s retail stores.
Immediately after discovering the breach, Target said, it alerted federal authorities and financial institutions, and is currently working with a third-party forensics firm on an investigation.
Brian Leary, a spokesman for the Secret Service, which investigates financial fraud, said the agency was investigating.
Target advised its store customers to scan their credit and debit accounts for unauthorized transactions and check their credit reports.
“We take this matter very seriously and are working with law enforcement to bring those responsible to justice,” Gregg W. Steinhafel, Target’s chairman and chief executive, said in a statement.
The company is encouraging everyone who shopped in its United States with a credit or debit card during the period, in all regions of the country, to monitor their accounts. Ms. Snyder said she could not disclose the number of people in that group. She said the company began alerting customers Thursday morning.
Citing the ongoing investigation, Ms. Snyder said she could not disclose how the company became aware of the problem.
At this stage, the company’s approach to outreach has been using social media, email and news coverage to alert customers, rather than targeting particular customers who may have been affected. The company also set up a dedicated hotline for its shoppers, with hundreds of people to answer the phones.
Some shopper data was also compromised in 2007, Ms. Snyder said, but the exposure and the number of accounts were “extremely limited.”
This time, however, the breach is massive, and it could hardly come at a worse time of year for the retailer, during the final surge of Christmas shopping. The holiday shopping season can generate anywhere from 20 to 40 percent of a retailer’s annual sales, according to the National Retail Federation.
Ms. Snyder said some Target Red Card holders were having trouble accessing their accounts online Thursday. She said Target was working to fix the problem as quickly as possible.
Point-of-sale systems have become a major target for cybercriminals in recent years. By breaching point-of-sale systems, they can steal the so-called track data on credit and debit cards, which can be sold, in bulk, on the black market and used to create counterfeit cards.
A similar breach affected Barnes & Noble stores last year. Last year, criminals also breached Global Payment Systems, one of the biggest card transactions processors. The biggest known security compromise to date was an attack at Heartland Payment Systems, another credit card processor, in 2009. Criminals used malware to break into the company’s internal network and steal data for 130 million cards.
In such cases, security experts said a company insider could have inserted malicious software into a company machine, or persuaded an unsuspecting employee to click on a link that downloaded software giving criminals a foothold into a company’s systems.
On Thursday, the Target website was festooned for the holidays with discounts, stocking stuffer suggestions, and a color palette of red and green. At the top of the festive page, however, was a stark alert in black and white: “Important notice: unauthorized access to payment card data in U.S. stores.”
