Target credit card hack: What you need to know

December 23, 2013 by CNN Money

The major hack of discount retailer Target that stole credit and debit card data from 40 million accounts was still reverberating several days later.

Target (TGT) acknowledged the hack on Thursday — three weeks after customer data was first scooped up on Black Friday.

On Sunday, Target spokeswoman Molly Snyder said the company had notified millions of affected customers for whom it had email addresses.

Major banks and card issuers said they were monitoring customer accounts. JPMorgan Chase (JPM) said it would limit the amount customers could withdraw from ATMs and spend in stores.

Two U.S. senators jumped in with demands for investigations.

Chuck Schumer called on the Consumer Financial Protection Bureau to report on whether retailers should be required to encrypt customer card data. Richard Blumenthal called for a Federal Trade Commission probe, saying “it appears that Target may have failed to employ reasonable and appropriate security measures to protect personal information.”

Meanwhile, plaintiffs in California sought to bring a class action and said Target “failed to implement and maintain reasonable security procedures and practices.” Local media reported that another lawsuit was filed in a Rhode Island federal court.

Related: How not to get hacked

What was stolen? The hack affected customers who shopped at U.S. Target stores between November 27 and December 15, Target said.

Customer names, credit or debit card numbers, expiration dates and CVVs were involved in the information theft, Target said. The CVV — the card verification value, also known as the security code — is a three or four-digit number typically requested by retailers when making purchases online or over the phone.

Hackers could use this data to make card replicas. Robert Ahdoot, a lawyer for the California plaintiffs, said he spoke to customers who claimed unauthorized ATM withdrawals had been made from their accounts.

PIN numbers, other customer information like Social Security numbers, and employee records were not compromised, Target said.