According to the company, 40 million credit and debit cards were breached between Nov. 27 and Dec. 15. Target said it alerted law enforcement and financial institutions immediately. The company added that it has "identified and resolved the issue."
Target added that it is working with a third-party forensics firm to investigate the incident.
Security experts raised eyebrows at the fact CVV codes were breached.
Forrester analyst John Kindervag said:
This is a breach that should've never happened. The fact that three-digit CVV security codes were compromised shows they were being stored. Storing CVV codes has long been banned by the card brands and the PCI SSC. Without knowing the exact breach vector it's hard to say exactly what happened, but clearly by exposing CVV information target has demonstrated a blatant disregard for PCI DSS compliance regulations as well as card security best practices.
It's a brand disaster at the busiest shopping time of the year.