(Updates with cause of breach in sixth paragraph.)
Dec. 19 (Bloomberg) -- Target Corp., the second-largest U.S. discount chain, said data for about 40 million debit and credit cards may have been wrongfully accessed in recent weeks and that law enforcement is investigating the matter.
The information was breached from Nov. 27 to Dec. 15 and authorities and financial institutions were alerted immediately, the Minneapolis-based company said today in statement. The U.S. Secret Service said yesterday that it was probing the incident, and two states’ attorneys general said today that they’ve begun inquiries.
Target’s challenges come as U.S. retailers gear up for the end of a holiday shopping season that ShopperTrak predicts will be the slowest since 2009. The last thing Target needs as rivals pour on discounts in a last-ditch grab for market share is for its customers to wonder if they should use their cards, said Ken Perkins, an analyst for Morningstar Inc. in Chicago.
“The timing could be a concern, especially only a few days before Christmas,” he said in an interview.
Target, which has 1,797 stores in the U.S. and 124 in Canada, fell 2.2 percent to $62.14 at the close in New York. The stock has gained 5 percent this year, compared with a 42 percent gain for Standard & Poor’s 500 Retailing Index.
The breach occurred when a computer virus infected Target’s point-of-sale terminals where shoppers swipe a credit or debit card to make a purchase, said a person familiar with the matter who asked not to be identified because the investigation is private. Molly Snyder, a spokeswoman for Target, didn’t respond to a request for comment on the cause.
Target learned of the breach on Dec. 15 and then told the authorities, Snyder said. It didn’t disclose the issue until after the breach became public because it was focused on starting the investigation, she said.
If the information on cards’ magnetic strips was stolen, it would be one of the largest breaches of that kind of data in U.S. history while also shining a light on a need to update technology, said Dan Kaminsky, co-founder and chief scientist at White Ops, a cybersecurity firm in New York. The thieves might have breached the entire point-of-sale system by introducing a computer virus into a software update for every device, Kaminsky said.
The U.S. trails other parts of the world in doing away with magnetic strips and moving to chips embedded within the card, which are harder to compromise, he said. The U.S. payments industry has a target of replacing magnetic strips by 2020, and that may be sped up because of this breach, he said.
Global card fraud losses for banks, merchants and processors climbed 15 percent last year from 2011 to $11.3 billion, according to the Nilson Report, a payments industry newsletter based in Carpinteria, California.
The breach came after the chain had already cut its annual forecast for same-store sales growth to 1 percent from as much as 2.5 percent in August. Doubts about its security could reduce purchases and the number of people signing up for a REDcard, its in-house credit and debit cards, Perkins said. Those cardholders are the retailer’s biggest spenders, he said
Jami Aspenwall, a 36-year-old mother of five from Cartersville, Georgia, said she canceled her Target-issued debit card after someone made $500 in purchases with it. Those losses will now force her to postpone a trip to Tampa, Florida, to see relatives for Christmas because her bank said it may take two weeks to get the money back.
“We’ll have to sit down with the kids tonight and tell them your trip is likely on hold,” said Aspenwall, a stay-at- home mother of kids ranging from 3- to 18-years-old. “I don’t want to ruin their Christmas. It’s not their fault.”
Online shoppers at Target.com might be spooked, too. A link across the top of the site today read: “important notice: unauthorized access to payment card data in U.S. stores.”
“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence,” Chief Executive Officer Gregg Steinhafel said in the statement.
The retailer’s customers took to social media to voice displeasure about the breach and not being able to contact the company about their REDcard accounts.
One of them was Stephanie Manzano, a 28-year-old from Federal Way, Washington, who swore off Target after learning that data had been compromised. She canceled her Target debit card after not being able to reach the retailer’s customer service. She now plans to shift her shopping to Wal-Mart Stores Inc.
“It’s very stressful,” Manzano, a mother of a special- needs child, said in a phone interview. “I kept calling Target, and I just got a busy signal. While I’m trying to call them, someone could take my identity and take my money. With a special-needs child, you’re worried about your finances. We’re a one-income household, we can’t afford that.”
Target is working to fix online access to account information, Snyder said. She didn’t respond to a separate request for comment on reports of fraudulent charges and canceled cards.
Brian Leary, a spokesman for the Secret Service in Washington, confirmed the agency is probing the matter while declining to comment further because the investigation is under way.
While the agency is today best known for protecting the president, it was created in 1865 to fight currency counterfeiting. That role was expanded over the years to include certain kinds of fraud, including identity theft, electronic crime and computer intrusion. The service was part of the U.S. Treasury until 2003, when it was one of the agencies brought into the newly created Department of Homeland Security.
Data breaches have hit other retailers in the past. TJX Cos., owner of the T.J. Maxx and HomeGoods chains, reported in 2007 that hackers broke into its computer system and stole about 45.7 million credit- and debit-card numbers. The theft set a record at the time for such breaches. In 2009, the company paid $9.7 million in a settlement with 41 U.S. states over the loss of customer data.
The attorneys general for Massachusetts and New York said today that they are reviewing the breach as well.
In July, four Russians and a Ukrainian were charged in what prosecutors called the largest hacking scheme in U.S. history, a break-in to computers of retail chains that included 7-Eleven Inc., Carrefour SA and Wet Seal Inc. and more than 160 million credit card numbers.
KrebsOnSecurity, a blog written by Brian Krebs, a former Washington Post reporter, first reported the breach and that it involved the theft of data housed on the magnetic strip of cards used at stores, citing sources at two credit-card issuers. The site also said Target customers had been victimized.
--With assistance from Paul Jarvis in London, Steven Komarow and Margaret Talev in Washington and Fanni Koszeg and Elizabeth Dexheimer in New York. Editors: Kevin Orland, Robin Ajello