Target reported that hackers stole up to 40 million credit and debit card records, including Target REDcards, of customers who shopped in-store in the second-largest retail data breach on record.
“We began investigating the incident as soon as we learned of it. We have determined that the information involved in this incident included customer name, credit or debit card number, and the card's expiration date and CVV,” Target said on Thursday.
The attacks occurred between Nov. 27 and Dec. 15, at the height of the 2013 holiday shopping season.
According to Verizon, the majority of breaches (62%) take months to discover, so Target's response was relatively quick in comparison.
The retail giant said it alerted authorities and banks immediately after the breach was discovered by a third party, and have partnered with a forensics firm to investigate further.
Nearly every state, the District of Columbia, and Puerto Rico legally require entities to notify individuals of security breaches involving personally identifiable information (PII).
On its website, Target advised recent customers to monitor suspicious or unusual bank account activity, and pointed them to the Federal Trade Commission and various credit card monitoring systems portals. Customers still took angrily to social media to comment about the breach on their privacy.
Massachusetts General Martha Coakley and New York Attorney General Eric Schneidermann have publicly stated they will be working with Target to address the breach, including the inevitable class actions to follow.
Mike Snider at USA Today reports that three class-action lawsuits have already been filed.
The largest U.S. retail breach occurred at TJS Cos. in 2007, and affected 90 million credit cards. There have so far been about 525 data breaches in 2013, according to AIG.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.