North American Retailer Target Admits Data Breach May Affect 40m

North American retail chain Target, which has 1,797 US stores and 124 in Canada, said that about 40m credit and debit card accounts may have been affected by a data breach that occurred during the busy Thanksgiving and Christmas shopping period.

The company, which is based in Minneapolis, Minneota, said that accounts of customers who made purchases by swiping their cards at terminals in its US stores between 27 November and 15 December may have been exposed. The stolen data includes customer names, credit and debit card numbers, card expiration dates and the three-digit security codes on the backs of cards. The data breach apparently did not affect online purchases.

Target added that it immediately notified authorities and financial institutions once it became aware of the breach and is now working with a third-party forensics firm to investigate the matter and prevent future breaches. It said it is devoting all ‘appropriate resources’ to the issue.

The company did not reveal how the data breach occurred, but stressed that it has now fixed the breach and that credit card holders can continue shopping at its stores. Asked whether there would be a certain period after which shoppers could be reassured that their accounts will no longer be vulnerable, a Target spokeswoman said: “We encourage everyone to be vigilant.”

A statement issued by the company’s chairman, president and chief executive officer (CEO), Gregg Steinhafel, said: “Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause.”

Other North American retailers to have experienced a data security problem include TJX Cos, parent of the TJ Maxx and Marshall’s chains. A breach that began in July 2005 exposed at least 45.7m credit and debit cards to possible fraud and went undetected until December 2006.

In June 2009 TJX agreed to pay US$9.75m in a settlement with multiple states related to the data theft but stressed at the time that it firmly believed it did not violate any consumer protection or data security laws.


Related reading