Dec. 19, 2013 at 1:10 PM ET
The data breach for 40 million shoppers at Target over the heart of the holiday shopping season could cast a pall over the few days left before Christmas.
It would most likely affect Target, analysts say, but in a season that has been less than jolly for most retailers, no speed bumps were needed.
Retailers are facing headwinds of a shorter holiday season and fierce competition from web competitors. The National Retail Federation has forecast "marginal" sales gains of just 3.9 percent. Others are more pessimistic. The CNBC All-Economic survey expects a 9.4 percent drop in holiday spending.
Given that only 8.9 percent of shoppers had completely finished their holiday shopping by Dec. 13, according to the NRF, news of the breach could prompt procrastinators to head to competitors such as Amazon or Wal-Mart for items on their lists during the last critical week. "Forty-million is a large number, and it doesn't take a lot to make a difference," said David Strasser, a retail analyst for Janney Montgomery Scott.
Target did not immediately respond to requests for comment.
Helen Lane of Newport News, Va., is among those Target shoppers who are making alternate plans. "I'm usually in Target once a week, but around this time of year? I've been there three times this week," said Lane, a graphic designer. She hasn't heard yet from Target if her store REDcard, which links to her checking account, was among those affected. But she said she's unwilling to risk her balance until she gets the all-clear, or a new card.
"I probably won't go there for a few weeks until they figure this out," Lane said. Instead, she'll head to the nearby Trader Joe's and Wal-Mart.
Other Target customers concerned about their accounts were unable to get answers Thursday. Target's credit card web site has been down, and its toll-free hotline for questions about the breach was jammed. A Target spokesperson told CNBC that the security breach had resulted in higher than normal volume, which the retailer was working to resolve.
Target said Thursday the breach involved customer names and debit and credit card numbers, as well as card expiration dates and the cards' three-digit CVV security codes. The store said customers who shopped there between Nov. 27 — two days before Black Friday — and this past Sunday should review their accounts for suspicious activity.
In a statement, Target said it has "identified and resolved the issue of unauthorized access to payment card data." The retailer said it alerted authorities and financial institutions of the breach, and will investigate with the aid of a third-party forensics firm.
Analysts say Target could also be on the hook for losses stemming from unauthorized charges due to the breach, and higher interchange fees from issuers of affected cards.
"Near term, it's obviously not good for the company," said Ken Perkins, an analyst for Morningstar. "I wouldn't be surprised if this results in some financial implications." Target even may see fewer consumers applying for its store-branded REDcards, which tend to drive loyalty, he said.
If shoppers like Lane divert, it's likely to be short-term, though. "I feel like most everybody has gotten a letter in the past five years that says, 'There's been a breach on your account,' " said Joseph Feldman, senior retail analyst for Telsey Advisory Group. Breaches tend to be quickly forgotten once affected shoppers have new cards in hand and unauthorized charges purged from their accounts, he said.
But that would be small consolation for retailers who are battling a sluggish recovery, stagnant wages and worries about the job market in the fight to lure customers before Christmas.
—By CNBC's Kelli B. Grant. Follow her on Twitter @kelligrant .
© 2013 CNBC LLC. All Rights Reserved