Hackers in the US have stolen data from up to 40 million credit and debit cards of shoppers who visited Target stores during the first three weeks of the holiday season.
It is the second-largest such breach reported by a US retailer.
The hackers worked at unprecedented speed, carrying out their operation from the day before Thanksgiving to last Sunday.
Target warned customers in an alert on its website on Thursday that names, payment card numbers, expiration dates and security codes had been stolen.
Target said it became aware of the problem on Sunday, but offered no immediate explanation for the four-day delay in informing customers.
Target, the third-largest US retailer, said it was working with federal law enforcement and outside experts to prevent similar attacks in the future. It did not disclose how its systems were compromised.
The retailer was alerted by credit card processors who noticed a surge in fraudulent transactions.
The timing of the breach could not have been worse for Target, coming just before the busiest period of the holiday season. Target last month lowered its profit forecast for the year.
"Most of these attacks are just a cost of doing business," said Mark Rasch, a former US prosecutor of cybercrimes.
"But an attack that's targeted against a major retailer during the peak of the Christmas season is much more than that because it undermines confidence."
Customers began to complain early on Thursday via Target's Facebook page.
"Thank you Target for nearly costing me and my wife our identities. We will never shop or purchase anything in your store again," said one posting.
"Shop at Target, become a target," remarked another. "Gee, thanks."
Investigators are still trying to understand how the attack was carried out, including whether hackers found a weakness at Target's computer network or via credit card service vendors.
Massachusetts Attorney General Martha Coakley, who headed a multistate probe into the 2007 data breach at the TJX clothing and homeware company, said in a statement that her office was talking to other attorneys general about the breach to determine whether Target had proper safeguards in place.
The TJX breach was the largest so far uncovered in the US, leading to the theft of data from more than 90 million credit cards over about 18 months.
New York Attorney General Eric Schneiderman said in a public statement that he had asked Target for more information.
A customer in California filed a class action lawsuit against the company late on Thursday, the first of what lawyers said could be many such suits.
Samantha Wredberg said in a court filing that she was a regular shopper at Target and had used her credit card at a company store on December 8.
Besides seeking damages, Wredberg asked the court to certify the lawsuit as class action.
She also asked the court to explore whether "Target unreasonably delayed in notifying affected customers of the data breach".
The breach also comes at a time when Target is trying to build up its online business, which by some estimates is only 2 per cent of sales.
Carol Spieckerman, president of the retail strategy firm newmarketbuilders, said: "All consumers will hear is that Target is not a safe place to use your credit card. That impacts trust."