NEW YORK (
(TGT - Get Report) is being cagey about how it managed to allow data for "approximate 40 million credit and debit card accounts" to be stolen, but it would appear that blame for the theft falls squarely on the retailer, and not on payment processors.
Target announced the data theft on Thursday, and CEO Gregg Steinhafel said the usual "we regret any inconvenience this may cause," rather than saying "we regret the inconvenience." The company also said it had "alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts."
The company also said "information involved in this incident included customer name, credit or debit card number, and the card's expiration date and CVV." That means whoever stole the data has everything they need to make online purchases.
Target seemed to get a little cute in saying in its Thursday press release that the data theft "may have impacted certain guests," considering that whoever stole the data got all the key pieces of data needed to use make fraudulent purchases.
Target said "You should remain vigilant for incidents of fraud and identity theft by regularly reviewing your account statements and monitoring free credit reports. If you discover any suspicious or unusual activity on your accounts or suspect fraud, be sure to report it immediately to your financial institutions." However, Target didn't make the obvious point that those 40 million credit card accounts will have to be cancelled, with new credit cards issued to customers.
The retailer's shares pulled back only 2% on Thursday to $62.15. In premarket trading on Friday, Target was down another 0.32%.
The retailer has provided very little information about the data theft so far, other than its nauseating scope. A good reason for this may be that the theft occurred right at the stores, and that the company doesn't want to give any other potential data hackers any bright ideas.
"Given the limited details available as we do not know where the data breach occurred (in-house system or the payment terminal level), it is currently hard to determine who will ultimately bear the cost of the breach," wrote KBW analyst Sanjay Sakhrani in a note to clients late Thursday.
The analyst said he had spoken with intermediary payment processors Global Payments, Inc. (GPN), Heartland Payment Systems (HPY) and Total System Services (TSS), "and all three companies have confirmed that Target is not a client on the merchant acquiring side."
Sakhrani also said he didn't expect "any impacts" on the major credit card processing networks run by American Express AXP, Discover Financial Services (DFS), Visa (V - Get Report) and MasterCard (MA).
This chart shows Target's underperformance during 2013 against the S&P 500
TGT data by YCharts
>Contact by Email.