Black Friday just got a bit more black.
Target Corp., one of the U.S.’s leading retail outfits, confirmed in a statement Thursday morning that reports of a massive breach of the company’s payment infrastructure, resulting in the exposure of data on an estimated 40 million credit and debit card accounts.
The statement, released on Target’s website, follows media reports on Wednesday citing reports from leading credit card issuers. In it, the company confirmed “it is aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its U.S. stores.”
According to statements by Target, the credit card data was stolen between Nov. 27 and Dec. 15, 2013 and includes customer name, credit or debit card number, and the card’s expiration date and the CVV, or three-digit security code. Shoppers at the company’s U.S. stores were affected, but the breach did not affect Target’s Canadian outlets nor its online store, Target said.
The company said it alerted authorities and financial institutions immediately after it was made aware of the unauthorized access. The company said it is partnering with “a leading third-party forensics firm to conduct a thorough investigation of the incident.”
“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence,” said Gregg Steinhafel, Target’s Chairman, President and CEO in a statement. “We regret any inconvenience this may cause.”
In a statement to customers on its website, Target recommended that anyone who shopped at one of its stores during the period of the breach should monitor their credit card statements careful, and report suspicious charges to their card to the card issuer and authorities.
The breach at Target was auspiciously timed with the start of the holiday shopping season, when retailers typically experience double-digit increases in shopping. It comes at the end of a year that has brought news of other, large breaches affected customer accounts. Notably: in October, the software vendor Adobe disclosed the theft of more than 150 million customer credentials affecting 38 million active customers. Then, in November, the web site Krebsonsecurity.com disclosed that data belonging to around 40 million customers of CupidMedia – an online dating firm – was discovered on a server linked to cyber criminals involved in the attacks on Adobe, PR Newswire and other companies.