NEW YORK — The hack of Target’s payment systems hit in the peak shopping season and compromised 40 million customers’ payment information.
The discount retailer acknowledged on late last week that the hack began on Black Friday and stretched more than two weeks to Dec. 15.
Here’s what we know:
— The breach: Malware on store point-of-sale systems was involved in the security breach. The company is cooperating with federal authorities, including the Secret Service and Department of Justice, and is withholding additional details at the request of law enforcement.
— Where did it happen: The hack was limited customers shopping in U.S. and Canadian Target stores with credit and debit cards. Online purchases were not involved.
— What got stolen: Hackers stole customer names, credit or debit card numbers, expiration dates and card security codes, Target said. PIN numbers, other customer information like Social Security numbers, and employee records were not compromised.
— Target customers: The company has notified “millions” of affected customers for whom Target has email addresses. CEO Gregg Steinhafel said “the cause of this issue has been addressed and you can shop with confidence at Target.”
— Banks: Target also notified credit and debit card issuers, many of which said they were monitoring customer accounts for fraudulent activity. Chase initially set low daily withdrawal and spending limits on its cards, though it adjusted those limits late Monday.
— Lawsuits: At least two dozen federal class action lawsuits have been filed in a handful of states alleging the retailer was negligent and did not adequately protect customer privacy.
— State AGs: Target said its legal team held a conference call with most states’ attorneys general on Monday afternoon.
— More fallout: Target has hired a private firm to review its information security and two U.S. senators called for consumer protection agencies to investigate.
— What you should do: Consumer watchdogs say customers should check their credit card statements, including for small purchases that could indicate fraudsters are verifying an account is still active. Customers should also contact their banks to request a replacement card — if one isn’t already on the way — and change their PIN.
— How to contact Target: Customers concerned about the breach could call Target, and customer service teams would be available on Christmas, Snyder said. The company said additional information would be available at corporate.target.com, by phone at 1-800-440-0680, and on Twitter @Target.