US retailer Target is being sued following a credit card security breach that put 40 million cards at risk.

It has emerged the hackers managed to steal the card details by getting malware on to the checkout systems in almost 1,800 Target stores in the US, the BBC reported.

Customers who shopped at Target between November 27 and December 15 argue Target failed to notify them of the breach before it was first reported and did not “maintain reasonable security procedures” to prevent it.

The lawsuits, filed in US courts, argue the “ramifications of [Target’s] failure to keep class members’ data secure are severe”, citing billions of dollars lost each year to identity theft.

Complaints against the retailer, seeking unspecified damages, have now been filed in Massachusetts, Florida, Oregon, Washington, California, Illinois and Minnesota by at least 11 shoppers.

Security researcher Brian Krebs said last week he had discovered evidence that card numbers stolen in the Target attack had appeared on underground markets where such details are traded.