US retailer Target has revealed about 40 million credit and debit cards may have been compromised by a data breach at the height of the holiday shopping season.

Shoppers who made purchases using their cards at the retailer’s stores between November 27 and December 15 may have been exposed, Sky News reported.

The stolen information includes customer names, credit and debit card numbers, card expiry dates and the three-digit security codes located on the backs of cards.

The retailer, which has 1,797 stores in the US and 124 in Canada, said it notified authorities and financial institutions as soon as it became aware of the breach, and that it is working with a third-party forensics firm to investigate the matter.

Target chief executive Gregg Steinhafel said: “Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause.”