Target Corp. on Thursday confirmed that a major data breach occurred between Black Friday and Dec. 15, which includes many of the most important shopping days of the year.

This story first appeared in the December 20, 2013 issue of WWD. Subscribe Today.

The unauthorized access to payment card data may have impacted 40 million shoppers making credit and debit card purchases in U.S. Target stores. Online transactions appear to be unaffected.

The Minneapolis-based retailer said it’s working closely with law enforcement and financial institutions and has “identified and resolved the issue.”

Target on Thursday posted a prominent message on its Web site, “Important notice: unauthorized access to payment card data in U.S. stores.” The message linked to a letter alerting customers that a breach occurred and outlining steps Target is taking to avoid a recurrence. Target said it’s working with a third-party forensics firm to investigate the incident and bring the thieves to justice.

The letter urged consumers to protect themselves against potential misuse of credit and debit information, advising them to periodically request a free copy of their credit report from each of the three major nationwide credit reporting agencies, and listed contact information for the agencies.

Meanwhile, a spokeswoman for the U.S. Secret Service on Thursday confirmed that the agency is investigating the breach at Target, but said the probe had just begun and it was too soon for additional information.

Target said it started investigating as soon as it became aware of the incident. Information involved in the breach included customer names, credit or debit card numbers and the card’s expiration date and CVV, the three-digit security code, Target said.

There was chatter late Wednesday that Target was looking into a data breach involving millions of customer credit and debit card records. Target did not respond to initial inquiries about the incident, issuing its statement Thursday morning.

“Target’s first priority is preserving the trust of our guests, and we have moved swiftly to address this issue so guests can shop with confidence,” said Gregg Steinhafel, president and chief executive officer of Target. “We take this matter very seriously and are working with law enforcement to bring those responsible to justice.”

The TJX Cos. Inc., which was hacked in 2007, remains one of the largest data breaches in retail history with more than 45 million customer credit and debit cards involved. The incident cost TJX consumer good will and a reported $256 million.

“Anytime an organization finds itself a victim of a data breach, it puts its brand and reputation at risk because it can significantly damage consumer trust,” said Daren Orzechowski, a partner at White & Case, who focuses on information technology legal matters.

William F. Pelgrin, president and ceo of the Center for Internet Security, said, “Target has done a commendable job in terms of getting notification out as quickly as possible. Because there are varying requirements within each state, the notification process can be extremely difficult, but they’ve done it fairly rapidly compared to other major breaches that have occurred.”

Target’s stock on Thursday fell 2.2 percent, or $1.40, to $62.15 on the NYSE.