The breach of data for 40 million shoppers at Target over the heart of the holiday shopping season could cast a pall over the few days left before Christmas.
It would most likely affect Target, analysts say, but in a season that has been less than jolly for most retailers, no speed bumps were needed.
Retailers are facing headwinds of a shorter holiday season and fierce competition from web competitors. The National Retail Federation has forecast "marginal" sales gains of just 3.9 percent, and others are less optimistic. The CNBC All-Economic survey expects a 9.4 percent drop in holiday spending.
Given that only 8.9 percent of shoppers had completely finished their holiday shopping by Dec. 13, according to the NRF, news of the breach could prompt procrastinators to head to competitors such as Amazon or Wal-Mart for items on their lists during the last critical week. "Forty-million is a large number, and it doesn't take a lot to make a difference," said David Strasser, a retail analyst for Janney Montgomery Scott.
A Target spokeswoman said the retailer is currently focused on handling the guests affected by the breach.
Helen Lane of Newport News, Va., is among those Target shoppers who are making alternate plans. "I'm usually in Target once a week, but around this time of year? I've been there three times this week," said Lane, a graphic designer. She hasn't heard yet from Target if her store REDcard, which links to her checking account, was among those affected. But she said she's unwilling to risk her balance until she gets the all-clear, or a new card.
"I probably won't go there for a few weeks until they figure this out," Lane said. Instead, she'll head to the nearby Trader Joe's and Wal-Mart.
Other Target customers concerned about their accounts were unable to get answers Thursday. Target's credit card web site has been down, and its toll-free hotline for questions about the breach was jammed. A Target spokesperson told CNBC that the security breach had resulted in higher than normal volume, which the retailer was working to resolve.
Target said Thursday the breach involved customer names and debit and credit card numbers, as well as card expiration dates and the cards' three-digit CVV security codes. The store said customers who shopped there between Nov. 27—two days before Black Friday—and this past Sunday should review their accounts for suspicious activity.
In a statement, Target said it has "identified and resolved the issue of unauthorized access to payment card data." The retailer said it alerted authorities and financial institutions of the breach, and will investigate with the aid of a third-party forensics firm.
Analysts say Target could also be on the hook for losses stemming from unauthorized charges due to the breach, and higher interchange fees from issuers of affected cards.
"Near term, it's obviously not good for the company," said Ken Perkins, an analyst for Morningstar. "I wouldn't be surprised if this results in some financial implications." Target even may see fewer consumers applying for its store-branded REDcards, which tend to drive loyalty, he said.
If shoppers like Lane divert, it's likely to be short-term. "I feel like most everybody has gotten a letter in the past five years that says, 'There's been a breach on your account,' " said Joseph Feldman, senior retail analyst for Telsey Advisory Group. Breaches tend to be quickly forgotten once affected shoppers have new cards in hand and unauthorized charges purged from their accounts, he said.
In a note Thursday, Patrick McKeever, managing director of MKM Partners, wrote that there's little historical precedent for consumer backlash. After TJX Companies—parent to T.J. Maxx, Marshalls and HomeGoods—announced a breach involving 90 million card numbers in January 2007, same-store sales rose from 2 percent in the first quarter of that year to 5 percent in the second quarter.
"We believe consumers understand things like this can happen even to the best companies, and after they do, feel more secure using their cards as they assume greater precautions are being taken," McKeever said in the note.
—By CNBC's Kelli B. Grant. Follow her on Twitter @kelligrant.