Dec. 20, 2013 at 5:49 PM ET
Target Corp. is offering its 10 percent employee discount to shoppers this weekend following a massive breach of its customers’ credit and debit card information.
Meanwhile, investigators believe that overseas hackers were responsible for the cyberattack that compromised up to 40 million payment cards during the first three weeks of the holiday shopping season, a person familiar with the matter told Reuters.
“Our guests’ trust is our top priority at Target and we are committed to making this right,” Target CEO Gregg Steinhafel said in a statement on Target’s website Friday.
The cyberattack “was a crime against Target, our team members, and most importantly, our guests,” Steinhafel said. “We’re in this together, and in that spirit, we are extending a 10 percent discount — the same amount our team members receive — to guests who shop in U.S. stores on Dec. 21 and 22. Again, we recognize this issue has been confusing and disruptive during an already busy holiday season. We want to emphasize that the issue has been addressed and let guests know they can shop with confidence at their local Target stores.”
The offer is limited to one in-store transaction per guest. Target has also pledged free credit monitoring for affected customers.
Government investigators don’t believe the overseas hackers had inside help, according to Reuters’ source, who was not authorized to talk publicly about the matter.
The source declined to say how the hackers got in or where investigators believe they are based, saying investigators don't want to show their hand to the criminals or afford them a chance to destroy evidence.
As the investigation continued, the blogger who first broke news of the breach, Brian Krebs, reported that data stolen from Target had begun flooding underground markets that sell stolen credit cards.
KrebsOnSecurity.com reported Friday that cards stolen from Target were being offered at "card shops" for rates starting at $20 each and going to more than $100.
A Secret Service spokesman declined comment on the investigation, which the agency is running.
The retailer reported the breach Thursday, a day after Krebs broke news of the attack. Target has declined to say how its systems were compromised and has provided few other details about the case.
Spokeswoman Molly Snyder released a written statement on Friday that downplayed the initial impact from the incident.
"To date, we are hearing very few reports of actual fraud, but are closely monitoring the situation," she said.
She said the stolen information was limited to data stored on the magnetic strip.
The hackers did not obtain PIN numbers used to access ATMs or the three or four-digit security codes that are printed on cards to verify online purchases, Snyder said.
She said Target has provided exposed card numbers to Visa, MasterCard, Discover and American Express. Those companies are in turn providing the information to the financial institutions that issue them.
NBC News business writer Margaret Santjer and Reuters’ Mark Hosenball, Dhanya Skariachan and Jim Finkle contributed to this report.