Major banks and card issuers said they were monitoring customer accounts. JPMorgan Chase(JPM, Fortune 500)said it would limit the amount customers could withdraw from ATMs and spend in stores.On Sunday, Target spokeswoman Molly Snyder said the company had notified millions of affected customers for whom it had email addresses.
Two U.S. senators jumped in with demands for investigations.
Chuck Schumer called on the Consumer Financial Protection Bureau to report on whether retailers should be required to encrypt customer card data. Richard Blumenthal called for a Federal Trade Commission probe, saying "it appears that Target may have failed to employ reasonable and appropriate security measures to protect personal information."
Meanwhile, plaintiffs in California sought to bring a class action and said Target "failed to implement and maintain reasonable security procedures and practices." Local media reported that another lawsuit was filed in a Rhode Island federal court.
Customer names, credit or debit card numbers, expiration dates and CVVs were involved in the information theft, Target said. The CVV -- the card verification value, also known as the security code -- is a three or four-digit number typically requested by retailers when making purchases online or over the phone.
Hackers could use this data to make card replicas. Robert Ahdoot, a lawyer for the California plaintiffs, said he spoke to customers who claimed unauthorized ATM withdrawals had been made from their accounts.
PIN numbers, other customer information like Social Security numbers, and employee records were not compromised, Target said.
What is Target doing? Target said it would offer affected customers a free credit monitoring service and set up a telephone hotline. It also offered a store-wide 10%discount on Saturday and Sunday. (Retail consulting firm Consumer Growth Partners estimated that customer transactions at Target stores declined on Saturday compared to the same weekend last year.)
The company said it "began investigating the incident as soon as we learned of it" through a "leading third-party forensics firm." The company said it also notified banks and law enforcement.
The Secret Service, which safeguards the nation's financial systems, said it was investigating, and on Friday, New York Attorney General Eric Schneiderman pledged to investigate.
CEO Gregg Steinhafel said "the cause of this issue has been addressed and you can shop with confidence at Target." He did not say how he knew customer data was no longer being stolen, nor how the hackers managed to swipe the credit card data.
How do you know if you were hacked? The easiest way to spot unauthorized purchases is to regularly check your paper or online statement. Sometimes hackers ping an account for only few cents to verify they have an active account.
Behind your stolen credit card
Hacked or not, what should you do? If you shopped at Target between November 27 and December 17, you should call your credit card company, bank and Target. Request a replacement card -- if one isn't already on the way -- and change your PIN.
Customers typically aren't liable for unauthorized purchases on their accounts that they report promptly. Major banks and credit card companies -- including American Express(AXP, Fortune 500), Discover(DFS, Fortune 500), Bank of America(BAC,Fortune 500), Wells Fargo(WFC, Fortune 500) and PNC(PNC, Fortune 500) -- said they were monitoring customer accounts.
J.P. Morgan Chase said it was temporarily limiting ATM withdrawals to $100 a day and purchases to $300 a day for customers whose accounts were at risk.
How did this happen? Many questions remain unanswered. But security experts believe hackers had access to the point-of-sale data, which means they either accessed the terminals where customers swiped credit cards or collected data as it moved from Target to credit card processors.