NEW YORK — A day after Target announced that 40 million of its customers had their credit and debit card data breached, the retailer announced a 10% discount for all shoppers at its stores this Saturday and Sunday.
But the discount will likely come as cold comfort to customers whose information is already being sold on the black market. Thousands of credit and debit card numbers were already flooding illegal websites where fraudsters trade stolen data, the New York Times reported.
More bad news came from JPMorgan Chase, the largest bank in the United States. Chase told their customers Saturday that they would be limited to $100 in cash withdrawals and $300 in total purchases per day if they used Chase debit cards at Target during the time of the hacking, NBC News reported.
The limit applies to about 2 million customer accounts, Kristin Lemkau, a Chase spokeswoman, told NBC News. That represents less than 10 percent of Chase customers, she said.
The company also provided details Friday about the extent of the hack and the information that could have been compromised.
The nation’s No. 2 general merchandise retailer said cards used at its brick-and-mortar stores between Nov. 27 and Dec. 15 of this year may have been impacted.
Target said there is no indication that any debit card PIN numbers were compromised. The retailer also claimed it doesn’t appear that the three- or four-digit security code visible on the face of credits cards were breached. That means that the debit and credit cards that were compromised cannot be used to withdraw cash from an ATM or to shop online.
But lawyer Robert Ahdoot, part of a legal team in California that has filed a lawsuit seeking class action status on behalf of Target customers, said he had spoken to shoppers who claimed thieves had used their debit card information to withdraw money from ATMs.
The lawsuit alleges negligence on the part of the retailer, and also says Target failed to promptly notify victims of the hack.
“Target has an obligation to provide adequate security for the financial information they collect,” Ahdoot said. He recommended that consumers who suspect that their cards may have been compromised change their PIN numbers as a precaution.
Target spokeswoman Molly Snyder said the retailer “typically doesn’t comment on pending litigation.”
Target said it believes customers’ birth dates and social security numbers weren’t compromised. The retailer said it gave Visa, MasterCard, Discover and American Express the card numbers of those who may have been impacted, and that these companies will monitor the cards for fraud.
Target is also monitoring its own card, the REDcard, for potential unauthorized activity.
Steinhafel said the affected customers “will not be held financially responsible for any credit and debit card fraud.”
“[T]o provide guests with extra assurance, we will be offering free credit monitoring services,” Steinhafel said. “We will be in touch with those impacted by this issue soon on how and where to access the service.”
To help answer questions about the incident, Target has set up a hotline for customers. Shoppers have been reporting long hold times, so Target said it will beef up its staffing.
Target didn’t specify how its systems were hacked. But judging by the scope of the breach and the kind of information that criminals obtained, security experts say hackers apparently targeted the retailer’s point-of-sale system. That means they either slipped malware into the terminals where customers swipe their credit cards, or they collected customer data while it was en route from Target to its credit card processors.
The retailer said it had notified authorities and financial institutions immediately after it was made aware of the unauthorized access, and had hired a forensics team to investigate how the breach may have occurred. The issue that allowed the breach has been identified and resolved, Snyder said.
CNN contributed to this report.