Target said data from about 40 million credit and debit cards might have been stolen from shoppers at its stores during the first three weeks of the holiday season (Nov 27to Dec. 15), in the second-largest card breach at a U.S. retailer.

The data theft, unprecedented in its ferocity, took place over a 19-day period that began the day before Thanksgiving. Target said on Thursday that it identified and resolved the issue on Dec. 15.

The company's shares fell as much as 3.2 percent before the bell.

On Thursday, Target told customers in an alert on its website that the criminals had stolen customer names, payment card numbers, expiration dates and their CVV security codes.

Krebs on Security, a closely watched security industry blog that broke the news on Wednesday, said the breach involved nearly all of Target's 1,797 stores in the United States and investigators believed the data was obtained via software installed on point-of-sales terminals used to swipe magnetic strips on payment cards.

It is not yet clear how the attackers were able to compromise point-of-sales terminals at so many Target stores.

MasterCard and Visa officials had declined to comment late on Wednesday, after news of the breach surfaced. An American Express spokeswoman said the company was aware of the incident and was putting fraud controls in place.

Target said it had alerted authorities and financial institutions immediately after it was made aware of the unauthorised access and that it was "putting all appropriate resources behind these efforts."

Presented by Adam Justice