Target, America’s second-largest retailer, confirmed Thursday that the credit card information of up to 40 million customers may have been electronically stolen between Black Friday and Dec. 15.
“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” Target chairman, president and C.E.O Gregg Steinhafel said in a Thursday statement. “We take this matter very seriously and are working with law enforcement to bring those responsible to justice.”
The announcement comes one day after the U.S. Secret Service spokesman Brian Leary confirmed it was investigating the incident, but declined to release any details.
It appears that Target’s point-of-sale (POS) checkout machines were used to copy data from the magnetic strip on the back of credit and debit cards swiped through the system’s card readers.
Such incidents in the past have commonly involved employees with access to the POS systems, who install malware or hardware programmed to copy card information.
Target currently has 1,797 stores in the U.S. and 124 stores in Canada, and its customers have a median household income of about $64,000.
U.S. retail sales rose by 2 percent by the end of last week, reflecting the annual increase in consumer spending common in the fourth quarter of every year.
“Any company that handles personal data is vulnerable,” security company Beazley Breach Response Global Focus Group Leader Mike Donovan said in USA Today. “You see the stories about the big ones in the news, but breaches are affecting companies all across the board.”
It took Target almost a week to confirm the breaches that were reportedly first disclosed by a security blogger, citing sources from to major credit card issuers.