Target Corp. TGT -2.22% was hit by an extensive theft of its customers' credit-card and debit-card data over the busy Black Friday weekend, people familiar with the matter said, in what appears to be a brazen breach of a major retailer's information security.
The theft was national in scope and happened in stores, not online, and may have involved tampering with the machines customers use to swipe their cards when making purchases, the people said.
The Secret Service is investigating the breach, a spokesman said, but wouldn't discuss details of the incident while the investigation is ongoing. Secret Service often investigates significant hacks of credit-card data, as part of its mission is to safeguard the country's financial infrastructure and payment systems.
The Secret Service is probing a breach of Target's credit-card reading devices. Michael Reynolds/European Pressphoto Agency
Target didn't respond to requests for comment.
It is believed that the breach affected roughly 40,000 card devices at store registers, which could mean that millions of cardholders could be vulnerable, according to the people familiar with the incident. They also warned that details could change significantly as the investigation proceeds.
The discount chain has 1,797 stores in the U.S. and another 124 in Canada.
The apparent breach occurred during the period when Americans kick off their holiday shopping and store traffic is around its highest of the year. Retailers try to lure shoppers to stores on Black Friday with "door buster" deals and overnight hours that often draw big crowds. Retailers try to lure shoppers to stores on Black Friday with "door buster" deals and overnight hours that often draw big crowds. The breach may have gone into the Monday after Thanksgiving, one of the people said.
The thieves gained access to data that is stored on the magnetic stripe on the back of the credit and debit cards, according to the people familiar with the breach. The stripe contains data that is valuable for making counterfeit cards, such as account numbers and expiration dates, but it wasn't immediately known which data was vulnerable.
Hackers typically aim to sell such information in bulk on the black market to people who use it to produce fake credit or debit cards. Crime rings can use the fake cards to buy gift cards from major retailers and convert them eventually into cash, according to investigators and former U.S. officials.
One of the biggest incidents to hit the industry took place in 2007, when thieves stole card numbers and personal data on up to 90 million cards belonging to people who had shopped at stores owned by TJX TJX +0.06% Cos., parent of T.J. Maxx, HomeGoods and other discount chains.
In July, federal prosecutors unsealed criminal charges in an ongoing investigation of a group of people believed to have stolen more than 160 million credit and debit card numbers from companies including J.C. Penney Co. JCP -3.73% , 7-Eleven, Nasdaq OMX Group, NDAQ -0.19% JetBlue Inc. JBLU -0.94% and others over several years. Dow Jones Inc., a unit of News Corp. NWSA -1.03% and publisher of The Wall Street Journal, was among the companies affected.
Penney, 7-Eleven, and JetBlue didn't respond to requests for comment. Dow Jones and Nasdaq declined to comment. Dow Jones and Nasdaq declined to comment.
Target reported $1.6 billion in profit on $51 billion in sales in the nine months ended Nov. 2.
One of the most recent big breaches occurred last year at Global Payments Inc., an Atlanta-based company that processes card transactions on behalf of merchants and banks. In that case, the company disclosed that thieves were believed to have stolen data from up to 1.5 million card accounts.
Write to Robin Sidel at robin.sidel@wsj.com, Danny Yadron at danny.yadron@wsj.comand Sara Germano at sara.germano@wsj.com
Would love to here from you...