“We recognize this has been confusing and disruptive during an already busy holiday season,” Target CEO Gregg Steinhafel said in a statement Friday.
“Our guests’ trust is our top priority at Target and we are committed to making this right.”
The company also provided details Friday about the extent of the hack and the information that could have been compromised.
The nation’s No. 2 general merchandise retailer said cards used at its brick-and-mortar stores between Nov. 27 and Dec. 15 of this year may have been impacted.
Target said there is no indication that any debit card PIN numbers were compromised. The retailer also claimed it doesn’t appear that the three- or four-digit security code visible on the face of credit cards were breached. That means that the debit and credit cards that were compromised cannot be used to withdraw cash from an ATM or to shop online.
But lawyer Robert Ahdoot, part of a legal team in California that has filed a lawsuit seeking class action status on behalf of Target customers from Harlem to Hollywood, said he had spoken to shoppers who claimed thieves had used their debit card information to withdraw money from ATMs.
The lawsuit alleges negligence on the part of the retailer, and also says Target failed to promptly notify victims of the hack.
“Target has an obligation to provide adequate security for the financial information they collect,” Ahdoot said. He recommended that consumers who suspect that their cards may have been compromised change their PIN numbers as a precaution.
Target spokeswoman Molly Snyder said the retailer “typically doesn’t comment on pending litigation.”
Target said it believes customers’ birth dates and social security numbers weren’t compromised. The retailer said it gave Visa, MasterCard, Discover and American Express the card numbers of those who may have been impacted, and that these companies will monitor the cards for fraud.
As a precaution, J.P. Morgan Chase & Co. said it was temporarily limiting ATM withdrawals to $100 a day and purchases to $300 a day for Chase customers in the U.S. whose debit cards are at risk, the company said in a letter to affected account holders.
Meanwhile, Target is also monitoring its own card, the REDcard, for potential unauthorized activity.
Steinhafel said the affected customers “will not be held financially responsible for any credit and debit card fraud.”
“[T]o provide guests with extra assurance, we will be offering free credit monitoring services,” Steinhafel said. “We will be in touch with those impacted by this issue soon on how and where to access the service.”
To help answer questions about the incident, Target has set up a hotline for customers. Shoppers have been reporting long hold times, so Target said it will beef up its staffing.
Target didn’t specify how its systems were hacked. But judging by the scope of the breach and the kind of information that criminals obtained, security experts say hackers apparently targeted the retailer’s point-of-sale system. That means they either slipped malware into the terminals where customers swipe their credit cards, or they collected customer data while it was en route from Target to its credit card processors.
The retailer said it had notified authorities and financial institutions immediately after it was made aware of the unauthorized access, and had hired a forensics team to investigate how the breach may have occurred. The issue that allowed the breach has been identified and resolved, Snyder said.