Nearly 1 million of the credit and debit card accounts whose information was stolen from Target during the holiday shopping season belonged to customers who made purchases at the retail giant’s three dozen Massachusetts stores, the company said Friday.
The disclosure, required under Massachusetts law, was made as the aftershocks of the massive data breach spread to customers, financial institutions, and Target itself. The Minneapolis-based chain, reacting to a backlash from customers, consumer advocates, and regulators, said it would offer free credit monitoring for the estimated 40 million accounts affected by the theft of financial data and a 10 percent discount to shoppers this weekend.
“We recognize this issue has been confusing and disruptive during an already busy holiday season,” Target chief executive Gregg Steinhafel said in a statement
Consumers and banks, meanwhile, grappled with whether to cancel credit and debit accounts, and deal with the hassle — and cost — of doing so. Salem Five Bank, for example, ordered a few thousand new debit cards as it prepared to cancel those used by customers who had shopped at Target in recent weeks, said Martha Acworth, the bank’s spokeswoman.
Bank of America, the largest retail bank in Massachusetts and one of the largest in the country, said it will replace the cards of customers that the bank believes may have been compromised. It costs banks $3 to $5 for each replacement card.
Banks can be reluctant to replace cards because of these costs, which can quickly run into the tens of thousands of dollars or more.
Customers also often dread the headaches of changing accounts and updating automatic billing.
Lloyd Schwartz recently shopped at a Target store near his Somerville home, charging about $60 worth of toiletries and medicine on his MasterCard.
After learning of the data breach, he called his bank to check if his was among the compromised accounts. It was. Someone had tried to charge $37,000 in data processing services to his card.
Schwartz, 72, said his bank won’t hold him responsible for the expense. It canceled the account number and sent him a new card, which should arrive Monday. But he will have to change all his automatic payment accounts, including his E-ZPass and newspaper subscriptions.
“What a drag,” Schwartz said. “I have to say, it does make me nervous. I’m not going to go to Target.”
Target on Thursday said that the data theft occurred between Nov. 27 and Dec. 15 — a period that included Black Friday — but so far has offered scant details on how hackers were able to infiltrate and steal the customer data.
The breach compromised the financial data of customers who made purchases by swiping cards at terminals in Target’s 1,800 US stores, exposing their names, credit and debit card numbers, card expiration dates, and the security code on the cards’ magnetic strips.
Target said that it knows of only a few reports of actual fraud.
Massachusetts law requires companies to report data breaches in the state as well as the number of residents affected. In its filing with the state Office of Consumer Affairs and Business Regulation, Target said it couldn’t identify how many state residents had financial information exposed by the breach, but estimated that holders of 947,000 stolen accounts shopped in Massachusetts stores.
Barbara Anthony, who leads the state agency, said the breach means that Target customers need to monitor their credit carefully over the next year or more because their financial information could turn up months from now and thousands of miles away in another country. The cost of a monitoring service, she said, should be borne by Target.
“Why should consumers suffer any other inconvenience?” Anthony said.