According to sources at two of the top 10 credit card issuers,the breach extends to nearly all Target locations in the US,and involves the theft of data stored on the magnetic stripe of cards used at the stores.
Target has not responded to multiple requests for comment. Representatives from MasterCard and Visa also could not be immediately reached for comment.
Both sources said the breach was initially thought to have extended from just after the Thanksgiving holiday on November 28 to December 6. But over the past few days,investigators have unearthed evidence that the breach extended at least an additional week – possibly as far as December 15.
According to sources,the breach affected an unknown number of Target customers who shopped at the company’s bricks-and-mortar stores during that timeframe.
"The breach window is definitely expanding,"said one anti-fraud analyst at a top 10 US bank card issuer who asked to remain anonymous."We can't say for sure that all stores were impacted,but we do see customers all over the US that were victimised."
There are no indications at this time that the breach affected customers who shopped at Target's online stores. The type of data stolen – also known as"track data"– allows criminals to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If the thieves also were able to intercept PIN data for debit transactions,they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs.
It's not clear how many cards thieves may have stolen in the breach. But sources from the two major card issuers said they have so far been notified by one of the credit card associations regarding more than 1 million cards that were thought to have been compromised.