Target says about 40 million credit and debit card accounts may have been affected by a data breach linked to recent purchases in its U.S. stores.
The chain said Thursday that the accounts may have been impacted between Nov. 27 and Dec. 15.
The dates include the busy Black Friday shopping period surrounding the U.S. Thanksgiving holiday, which was on Nov. 28.
Canadian stores weren't affected, a Target spokeswoman told CBC News by email today. The discount retailer didn't immediately specify where the affected stores were located except that they were in the United States.
Target Corp. said customers who made purchases at its U.S. stores during the period and suspected unauthorized activity should call them at 866-852-8680.
May be continuing
The breach was first reported Wednesday by Brian Krebs, a security blogger, the New York Times said.
While the breach began the day after Thanksgiving, it may be continuing, the Times said, citing a person involved in the investigation.
It wasn't immediately clear whether Target's online customers were affected, the Times said. The criminals' goal was apparently to get information from customers' credit and debit cards, potentially including personal identification numbers (PINS).
The Minneapolis company said it immediately told authorities and financial institutions once it became aware of the breach and that it is teaming with a third-party forensics firm to investigate the matter.
"Target's first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause," said Gregg Steinhafel, Target's chairman, president and chief executive officer.
Stores in Canada
"We take this matter very seriously and are working with law enforcement to bring those responsible to justice."
Target has 1,797 U.S. stores and 124 in Canada.
The company has only been operating stores in Canada since March, when it began a long-planned national rollout in southern Ontario.
Target is just the latest retailer to be hit with a data breach problem. TJX Cos., which runs stores such as T.J. Maxx, Marshall's and Winners, had a breach that began in July 2005 that exposed at least 45.7 million credit and debit cards to possible fraud. The breach wasn't detected until December 2006.
In June 2009 TJX agreed to pay $9.75 million US in a settlement with multiple states related to the massive data theft but stressed at the time that it firmly believed it did not violate any consumer protection or data security laws.