A breach of credit and debit card data at discount retailer Target may have affected as many as 40 million shoppers who went to the store in the three weeks after Thanksgiving, the retailer said Thursday.
Late Wednesday, the Secret Service, which is charged with safeguarding the nation's financial infrastructure and payment systems, confirmed it was investigating the breach.
Spokesman Brian Leary declined further comment.
The breach first came to light via a report from respected security researcher Brian Krebs, who said Target had suffered a data breach around the time of Black Friday last month "potentially involving millions of customer credit and debit card records."
Target (TGT, Fortune 500), the nation's No. 2 general merchandise retailer after Wal-Mart Stores (WMT, Fortune 500), said cards used at the brick-and-mortar stores between Nov. 27 and Dec. 15, 2013, may have been impacted.
Target didn't specify how its systems were hacked. But judging by the scope of the breach and the kind of information criminals got, security experts say hackers targeted the retailer's point-of-sale system. That means they either slipped malware into the terminals where customers swipe their credit cards, or they collected customer data while it was on route from Target to its credit card processors.
The retailer said it notified authorities and financial institutions immediately after it was made aware of the unauthorized access, and had hired a forensics team to thoroughly investigate how the breach may have happened.
"Target's first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence," CEO Gregg Steinhafel said in a statement. "We regret any inconvenience this may cause."
The thieves reportedly gained access to data on the magnetic strips of shoppers' cards, potentially allowing them to produce counterfeit versions, according to Krebs.
The thieves could also potentially withdraw cash from ATMs using counterfeit debit cards if they were able to intercept PIN data from Target, he said.
American Express (AXP, Fortune 500) and Discover (DFS, Fortune 500) both said they were "aware" of the incident and had fraud controls in place.
"This is an ongoing investigation," an AmEx spokeswoman said, declining to comment further.
MasterCard (MA, Fortune 500) referred questions to Target; Visa (V, Fortune 500) did not respond to requests for comment.