A data breach affecting 40 million credit and debit card accounts used by Target customers could put a slight chill on holiday spending.
Target said Thursday the breach involved customer names and debit and credit card numbers, as well as card expiration dates and the cards’ three-digit CVV security codes. The store said customers who shopped there between Nov. 27—two days before Black Friday—and this past Sunday should review their accounts for suspicious activity.
In a statement, Target said it has “identified and resolved the issue of unauthorized access to payment card data.” The retailer said it alerted authorities and financial institutions of the breach, and will investigate with the aid of a third-party forensics firm.
But given that only 8.9 percent of shoppers had completely finished their holiday shopping by Dec. 13, according to the National Retail Federation, news of the breach could prompt procrastinators to head to competitors such as Amazon or Wal-Mart for items on their lists during the last critical week. “Forty-million is a large number, and it doesn’t take a lot to make a difference,” said David Strasser, a retail analyst for Janney Montgomery Scott.
Helen Lane of Newport News, Va., is among those Target shoppers who are making alternate plans. “I’m usually in Target once a week, but around this time of year? I’ve been there three times this week,” said Lane, a graphic designer. She hasn’t heard yet from Target if her store REDcard, which links to her checking account, was among those affected. But she said she’s unwilling to risk her balance until she gets the all-clear, or a new card.
“I probably won’t go there for a few weeks until they figure this out,” Lane said. Instead, she’ll head to the nearby Trader Joe’s and Wal-Mart.
Analysts say Target could also be on the hook for losses stemming from unauthorized charges due to the breach, and higher interchange fees from issuers of affected cards.
“Near term, it’s obviously not good for the company,” said Ken Perkins, an analyst for Morningstar. “I wouldn’t be surprised if this results in some financial implications.”Target even may see fewer consumers applying for its store-branded REDcards, which tend to drive loyalty, he said.
If shoppers like Lane divert, it’s likely to be short-term. “I feel like most everybody has gotten a letter in the past five years that says, ‘There’s been a breach on your account,’ ” said Joseph Feldman, senior retail analyst for Telsey Advisory Group. Breaches tend to be quickly forgotten once affected shoppers have new cards in hand and unauthorized charges purged from their accounts, he said.
In a note Thursday, Patrick McKeever, managing director of MKM Partners, wrote that there’s little historical precedent for consumer backlash. After TJX Companies—parent to T.J. Maxx, Marshalls and HomeGoods—announced a breach involving 90 million card numbers in January 2007, same-store sales rose from 2 percent in the first quarter of that year to 5 percent in the second quarter.
“We believe consumers understand things like this can happen even to the best companies, and after they do, feel more secure using their cards as they assume greater precautions are being taken,” McKeever said in the note.
—By CNBC’s Kelli B. Grant. Follow her on Twitter @kelligrant.