Payment details from up to 40 million credit cards could have been stolen after they were used in the stores of US retail giant Target.
The retailer said it was investigating after discovering that thieves had gained access to its payment systems.
The data breach began around 29 November, known as Black Friday, one of the busiest shopping days of the year.
The attackers are believed to have been scooping up credit card details for almost three weeks.
"We take this matter very seriously and are working with law enforcement to bring those responsible to justice," said Target boss Gregg Steinhafel in a statement.
In addition, he said, the company was working with a data forensics firm to work out how the theft occurred.
Target said the thieves had taken credit card numbers, names, expiration dates and security codes for the cards.
It urged people who shopped at its stores in the vulnerable period to check credit card records and query unusual activity.
"We regret any inconvenience this may cause," said Mr Steinhafel.
Security researcher Brian Krebs, writing about the breach, said sources at credit card payment processing firms had told him the thieves had installed data-stealing code on to card-swipe machines at tills in all 1,797 Target stores.
It is not yet clear how the attackers managed to get their malicious program on to point-of-sale equipment in the stores.
The thieves stole data between Thanksgiving and 15 December, said Target.
The US Secret Service, which has official responsibility for investigating financial fraud, told Reuters it was looking into the breach.
The largest ever credit card breach at a US retailer took place in 2007 when cyber-thieves managed to steal information related to almost 46 million credit and debit cards from TJ Maxx and Marshalls.
The thieves amassed the huge cache of data over an 18 month period after penetrating the retailers' computer network.
I am a British ex-pat living in the US. My wife and I regularly shop at Target and typically use a credit card as payment - whether online or in the store. My wife also has a store credit card through Target. This news is very disconcerting as I know we have shopped at Target at least a couple of times during the reported period. Our credit company (American Express) has been very good at identifying anomalies in the past and dealing with fraudulent transactions, so between us and the company checking activity on the cards I am hopeful we will not be caught out. Russell Hitchen, St Petersburg, Florida
It's becoming apparent that the system of handing a card with personal and financial details to a store clerk is outdated as it seems the criminals have more technological savvy than those who are supposed to protect us from this kind of fraud. We shop at Target all the time but in the future we will pay cash until the problem is resolved. If ever... Peter O'Brien, Monroe, New Jersey
Target is my go to store for everything. So concerned after reading this news piece. Have to go though my credit card statement to make sure I see don't see any anomalies. Fariha, Fremont, California
I did shop at Target during that time and this just isn't that surprising to me. Isn't that sad? I have already had my credit card number stolen twice this year, despite being careful. I've begun monitoring my credit card transactions on a daily basis because this has just become so common. Amy Kolinko, Dublin, Ohio
Interestingly enough, I work for a credit card processing company. I also happened to shop at Target over the course of Black Friday. My thoughts, as we move into a world where electronic payment methods are becoming more widely used, we must take a step back and evaluate why they are so convenient in the fist place. This convenience is obviously coming at a cost, and that cost is our privacy. This goes into the broader discussion of how the web has been used and is currently used to illicit intimate details of individuals. Getting back to the matter at hand, Target should have definitely invested more money in its security infrastructure, but at what point is security considered to be adequate? Will the 'hackers' always be one step ahead? Time can only tell, but my guess, this is an ongoing threat that will never truly be resolved completely. Omar Khalid, Astoria
- 16 October 2013
- 17 December 2013
- 2 December 2013