Shoppers wait for the opening of the Target store in Benton Harbor, Mich., on Thanksgiving night.
(Photo: By Don Campbell, AP)
(USA TODAY) -- Target says that its stores have been hit by a major credit-card attack involving up to 40 million accounts.
Chief Executive Officer Greg Steinhafel confirmed Thursday morning earlier reports that a brazen data breach had taken place. In a statement, Steinhafel said: "Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue."
Mass hack affects almost 2 million Internet accounts
Web scammers get a jump on holiday shoppers
iPhone vulnerable to hackers
The retailer said that the unlawful access to customer information took place between Nov. 27 and Dec.15.
Earlier, the Secret Service confirmed to USA TODAY that it is investigating the massive data violation involving shoppers' personal credit-card information.
"The Secret Service will confirm it is investigating the incident at Target," spokesman Brian Leary said in a telephone interview Wednesday night. "We don't have any further comment because it's an ongoing investigation."
The breach began around Black Friday, the day after Thanksgiving and the busiest shopping day of the year.
The breach involves the theft of information stored on the magnetic stripe on the backs of cards used at nearly all of Target's stores around the country, according to the Krebs on Security website, who first reported the news.
KrebsOnSecurity.com is the website of Brian Krebs, a national computer security expert and former Washington Post reporter.
Target is based in Minneapolis and has almost 1,800 stores in the United States and 124 in Canada, according to its website.
James Issokson, vice president of MasterCard communications, said in an e-mail to USA TODAY that a question regarding the potential breach "at this point is best directed to Target."
An expert with a global firm that helps companies respond to and mitigate breaches said while he could not address the Target situation specifically, many companies - large and small - are typically under-prepared when they face a breach.
Most important is that the potential breach be addressed quickly, to help get information out to those affected and to regulators, to bring in the right experts to address the breach (such as forensics experts who can stop cyber attacks) and to help preserve the public's trust in the company, said Mike Donovan, Global Focus Group Leader for Beazley Breach Response, headquartered in London.
"We see breaches across all sizes of companies," said Donovan, who is based in San Francisco. "You see the stories about the big ones in the news, but breaches are affecting companies all across the board."
Beazley recently responded to its 1000th breach and the company has seen a "significant number" of large breaches in the last four or five years, Donovan said.
It happens all the time, every day, with retailers, health care organizations, schools and other operations, he said.
"Any company that handles personal data is vulnerable," Donovan said.
The potential breach does not appear to involve online purchases, Krebs reports. It appears the type of data stolen would allow thieves to create counterfeit credit cards and, if pin numbers were intercepted, would also allow thieves to withdraw cash from ATM machines, according to Krebs.
Visa did not respond to e-mails or telephone messages left with its corporate office.