40 million accounts may be breached

Target is grappling with a data security nightmare that threatens to drive off holiday shoppers during the company’s busiest time of year.

The nation’s second largest discounter said Thursday that data connected to about 40 million credit and debit card accounts was stolen as part of a breach that began over the Thanksgiving weekend.

The data theft marks the second largest credit card breach in the U.S. after retailer TJX Cos. announced in 2007 that at least 45.7 million credit and debit card users were exposed to credit card fraud.

Target’s acknowledgment came a day after news reports surfaced that the discounter was investigating a breach.

The chain said customers who made purchases by swiping their cards at terminals in its U.S. stores between Nov. 27 and Dec. 15 may have had their accounts exposed. The stolen data includes customer names, credit and debit card numbers, card expiration dates and the three-digit security codes located on the backs of cards.

The data breach did not affect online purchases, the company said.

The stolen information included Target store brand cards and major card brands such as Visa and MasterCard.

The Minneapolis company, which has 1,797 stores in the U.S. and 124 in Canada, said it immediately told authorities and financial institutions once it became aware of the breach on Dec. 15. The company is teaming with a third-party forensics firm to investigate and prevent future breaches.

The breach is the latest in a series of technology crises for Target. The company faced tough criticism in late 2011 after it drummed up hype around its offerings from Italian designer Missoni only to see its website crash. The site was down most of the day the designer’s collection launched. The company angered customers further with numerous online delays for products and order cancellations.

But the credit card breach poses an even more serious problem for Target and threatens to scare away shoppers who worry about the safety of their personal data.

“A data breach is of itself a huge reputational issue,” said Jeremy Robinson-Leon, a principal at Group Gordon, a corporate and crisis public relations firm. He noted that Target needs to send the message that it’s rectifying the problem and working with customers to answer questions. He believes Target should have acknowledged the problem on Wednesday rather than waiting until early Thursday.

“This is close to the worst time to have it happen,” Robinson-Leon said. “If I am a Target customer, I think I would be much more likely to go to a competitor over the next few days, rather than risk the potential to have my information be compromised.”

Target advised customers Thursday to check their statements carefully. Those who see suspicious charges on the cards should report it to their credit card companies and call Target at (866) 852-8680. Cases of identity theft can also be reported to law enforcement or the Federal Trade Commission.