Target said about 40 million credit card and debit card accounts were compromised in a 19-day data breach starting the day before Thanksgiving.
The retailer said on Thursday the breach, which lasted from Nov. 27 to Dec. 15, included the consumer's name, credit card and debit card numbers, the card's expiration date and the three-digit security card security code. Only customers who shopped in actual stores were affected; online customers were not. Target spokeswoman Molly Snyder said there are no indications that debit card personal identification numbers, or PINs, were accessed.
Snyder would not say how many stores were affected or how the hack was executed. But Krebs on Security, an industry security blog that broke the news about the breach on Wednesday, said that nearly all of the retailer's U.S. stores were affected and the data was collected from the magnetic stripe on the backs of the cards.
"No matter how careful we are with our own data there's no guarantee that the places we shop are equally protective," says John Ulzheimer, credit expert at Credit Sesame.
The good news for consumers is that Target has already contacted banks about the breach. Discover, Chase, Citi, Capital One, Wells Fargo and Bank of America all confirmed that they are actively monitoring accounts for suspicious activity and will contact cardholders if they believe their account has been compromised.
"Discover's top priority is maintaining the privacy and security of our cardmembers," says company spokeswoman Laura Gingiss.
Typically, card issuers will cancel affected cards and send out new cards with new numbers to customers. In some cases, if the customer can't be reached, a card issuer may temporarily shut down the card, so no fraudulent charges can be added.
Consumers who recently shopped at Target stores should be just as vigilant by double-checking their online statements for any unusual charges. Ulzheimer recommends that consumers do this regularly and not wait until the monthly statement comes.
"Fraud is a real time crime and we as consumers have to be constantly engaged with our payment vehicles so that we are immediately aware of fraudulent use," he says.
If a consumer finds an unauthorized transaction, they should contact their banks to report the transaction along with the three credit reporting bureaus -- Experian, Equifax and TransUnion -- to place a fraud alert on their credit reports. Fraud alerts last 90 days and tell lenders to take extra precautions to verify a person's identify before extending credit.
Consumers affected by the breach should also pull their credit report one to two months after finding the unauthorized transaction to check if any new credit has been established in their name without their permission. It takes at least a month for a new account to show up on a credit report. Consumers are entitled to a free credit report from each credit bureau once every 12 months under federal law.
As for losses, credit card holders are not liable for any unauthorized charges stemming from a data breach under federal law. Debit card holders face higher losses, depending on whether their PIN was accessed and when they report unauthorized charges.
"When reported promptly, debit card customers are not liable for any unauthorized purchases on their accounts," says Chase spokesman Rob Tacey.
Did your issuer call you about a breach recently? Let me know.
Follow me on Twitter: @JannaHerron.