SAN FRANCISCO — Target is investigating a security breach involving stolen credit card and debit card information for millions of its customers, according to one person involved in the investigation.
The breach, which was first reported Wednesday by Brian Krebs, a security blogger, began the day after Thanksgiving, and may be continuing, according to the person involved in the investigation, who spoke only on condition of anonymity.
It is unclear whether Target's online customers were affected. Cybercriminals appear to have focused on the point-of-sale systems in Target's retail stores, which collect information from customers' credit and debit cards, and potentially personal identification numbers, or PINs.
(Read more: How to prevent holiday-related identity theft)
Representatives for Target did not return requests for comment.
The breach is currently being investigated by Target and major card companies, according to the source. The Secret Service is also investigating, said Brian Leary, a spokesman for the service.
By breaching point-of-sale systems, cybercriminals can create counterfeit cards. If they were able to intercept the PIN information, as well, it is also possible that thieves could withdraw money from a customer's account through an A.T.M. A similar breach affected Barnes & Noble stores last year. In that case, customers at 63 Barnes & Noble stores across the country, including New York City, San Diego, Miami and Chicago, were affected.
To date, Target customers have not yet been made aware of the breach. Though state notification laws differ, most states require that companies notify customers of a breach if their names are compromised in combination with other information like a credit card, Social Security number or driver's license number.
But states make exceptions for encrypted information. As long as companies scramble consumer information with basic encryption, the law does not require companies to tell customers about a breach.
Point-of-sale systems have become a major target for cybercriminals in recent years. To pull it off, security experts said a company insider could have inserted malware into a company machine, or persuaded an unsuspecting employee to click on a malicious link that downloaded malware that gives cybercriminals a foothold into a company's point-of-sale systems.
In addition to payment systems at Barnes & Noble last year, criminals also breached Global Payment Systems, one of the biggest card transactions processors. The biggest known security compromise to date was an attack at Heartland Payment Systems, another credit card processor, in 2009. Criminals used malware to break into the company's internal network and steal data for 130 million cards.
"Why do we keep hearing about this? Because criminals go where the money is," said Michael Sutton, a vice president for research at ZScaler, a security company. "Typically, criminals will steal credit card information and then sell it. There's a very elaborate economy built around this type of crime. That's a very valuable asset that can be obtained completely through remote Internet access."
(Read more: Web sales on a billion-dollar hot streak: ComScore)
Security experts advise Target customers to scan their accounts for unauthorized transactions and change the PINs to their debit accounts.
"There's not a great deal customers can do, other than take the necessary steps, like changing passwords, credit card numbers if they have been informed of a breach," Mr. Sutton said. "Beyond that, they can take proactive steps like shopping with reputable vendors."
"Then again," he added. "Here we are talking about one of the largest retailers in the United States. No one is immune."
—By Nicole Perlroth of The New York Times