US retail giant Target said Thursday some 40 million customers may have had bank card data compromised by hackers who broke into its database as holiday shopping got underway.
Target said there had been "unauthorized access" to its payment system in US stores affecting credit and debit cards.
Approximately 40 million credit and debit cards may have been affected by the breach between November 27 and December 15, the company said in a statement.
Target said it is working with law enforcement and financial institutions and "has identified and resolved the issue."
"We take this matter very seriously and are working with law enforcement to bring those responsible to justice," said chief executive Gregg Steinhafel.
In a separate communication to consumers on its website, the company recommended shoppers "remain vigilant for incidents of fraud and identity theft."
"We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code)," Target said.
Target urged consumers to closely read their account statements and credit reports and to report suspicious activity to financial institutions.
Target is the US' third-largest retailer after Wal-Mart Stores and Kroger, according to Stores Media, a part of the National Retail Federation. The company had 1,778 stores in the US as of February 2013.
Target shares were off 1.8 percent in mid-morning trade Thursday.
News of the attack was first reported by security blogger Brian Krebs, who said the breach extends to nearly all Target stores across the country.
"An obvious fear will be that the criminals will use the stolen data to create counterfeit credit and debit cards, and plunder customers' bank accounts," said independent security researcher Graham Cluley.
"To be frank, this security breach sounds pretty bad. And if customers are impacted in their wallets, it will be a PR nightmare for Target."