Three class-action lawsuits have been filed in the wake of the theft of data on about 40 million credit and debit card accounts of shoppers at Target from Nov. 27 to Dec. 15. More than $5 million in damages is being sought in the cases, two of which were filed in California and one in Oregon.
The Attorney General in at least four states—Connecticut, Massachusetts, New York and South Dakota—have asked Target for information about the breach. That's the first step to a possible multi-state investigation into the breach.
Meanwhile, millions of the card accounts stolen have begun showing up for sale on the black market, says the security reporter who initially broke the news about the breach. "Credit and debit card accounts stolen in (the Target breach) ... have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card," writes Brian Krebs on his KrebsOnSecurity.com site.
(Read more: Weak US card security made Target a juicy target)
Over the weekend, Target offered customers a 10% discount in its U.S. stores, after CEO Gregg Steinhafel said on Friday that the company would provide free credit monitoring to at-risk customers.
The company may need to do a lot more in coming days. "With these data security breaches, there's usually the question of consumer confidence and trust," says Daren M. Orzechowski, a New York-based intellectual property attorney with White & Case LLP. "They have to balance if they feel they need to do more to try to preserve consumer confidence."
The speed of class-action suits and state officials getting involved "is not surprising," says Orzechowski, who deals in data privacy issues. Many states have strong breach notification laws that requite the attorney general be notified, he said.
Both the state and civilian queries will be interested in "when did Target know there was an issue and how long did they wait, in terms of responding, because there's a lot of obligations on promptly notifying people and there is going to be a lot of focus on that in the days to come."
As of yet, there's no idea of how much consumers were harmed, says Columbia Law School professor John Coffee. "We do not yet know if Target was negligent or whether these were very skillful hackers who could have penetrated any system--but those critical factual issues seldom slow the race to the courthouse," he said.
Also investigating the Target breach—the second-largest in U.S. history being a 2005 case involving retailer TJX—is the Secret Service. Target is based in Minneapolis and has almost 1,800 stores in the United States and 124 in Canada, according to its website.
Target is directing customers to its website and a toll-free phone number for more information about the breach.
The breach could also lead to smarter, more hacker-resistant smart cards. "We are using 20th century cards against 21st century hackers," says Mallory Duncan, general counsel at the National Retail Federation. In the U.S., most account info is contained on the magnetic strip on the card's back and is easily replicated. In the rest of the world, most cards contain digital chips that create a unique code, not easily copied, every time the card is used.
(Read more: JPMorgan limitsdebit cards used at Target)
—By Mike Snider of USA Today. The Associated Press contributed to this report.