UPDATE 1-Target says data from 40 mln cards stolen in Nov-Dec
Dec 19 (Reuters) - Target Corp <TGT.N > said data from about 40 million credit and debit card accounts might have been stolen from customers who shopped in its stores over a 19-day period ending Sunday, in one of the largest card breaches at a U.S. retailer.
The company said it had identified and resolved the issue, which started on the day before Thanksgiving.
Target did not say how the breach, which might have compromised accounts between Nov. 27 and Dec. 15, had occurred or what percentage of its customers had been affected.
"On December 15, we were able to identify an unauthorized access and we were able at that time to resolve the issue," Target spokeswoman Molly Snyder told Reuters.
Krebs on Security, a closely watched security industry blog that broke the news on Wednesday, said the breach involved nearly all of Target's 1,797 stores in the United States and investigators believed the data was obtained via software installed on point-of-sales terminals used to swipe magnetic strips on payment cards.
It is not yet clear how the attackers were able to compromise point-of-sales terminals at so many Target stores. "It is very clear it is a sophisticated crime," Snyder said.
The U.S. Secret Service is working on the investigation, according to an agency spokeswoman. A Federal Bureau of Investigation spokeswoman declined to comment.
MasterCard and Visa officials had declined to comment late on Wednesday, after news of the breach surfaced. An American Express spokeswoman said the company was aware of the incident and was putting fraud controls in place.
Target said on Thursday that it had alerted authorities and financial institutions immediately after it was made aware of the unauthorized access and that it was "putting all appropriate resources behind these efforts."
The company also said it hired a forensics firm to investigate the incident.
The biggest credit card breach at a U.S. retailer was at TJX Companies Inc, the parent of TJ Maxx and Marshalls apparel chains.
The company disclosed in March 2007 that data from 45.7 million payment cards had been stolen by hackers over 18 months. Banks later said in court documents that the hackers could have obtained more than 94 million account numbers.