State officials are urging Hawaii residents to take precautions against fraudulent activity following Target’s data-security breach, which is threatening to drive off holiday shoppers during the company’s busiest time of the year.

The nation’s second-largest discounter said Thursday that data connected to about 40 million credit and debit card accounts were stolen as part of a breach that began over the Thanksgiving weekend.

A Target spokeswoman couldn’t specifically say how many customers in Hawaii were affected, due to an ongoing investigation, but the state Department of Commerce and Consumer Affairs’ Office of Consumer Protection is asking the retail giant to notify local consumers of any security breach involving personal information — a measure required by state law.

“This is a very serious breach affecting a significant number of people,” Bruce Kim, executive director of the Office of Consumer Protection, said in a statement. “Any Hawaii residents who believe they may be at risk because of this incident are urged to take immediate steps to protect their personal credit information as well unauthorized access to their credit or debit card accounts. It is critical for those affected to use the contact information provided by Target and get current information on what they can do to protect themselves.”

Target spokeswoman Molly Snyder told the Honolulu Star-Advertiser that customers who shopped at the stores are urged to be “vigilant in watching their cards for any suspicious or fraudulent activity.”

The theft marks the second-largest credit card breach in U.S. history, exceeded only by a scam that began in 2005 involving retailer TJX Cos., operator of T.J. Maxx, that affected at least 45.7 million card users.

Customers who made purchases by swiping their cards at Target’s U.S. stores between Nov. 27 and Sunday may have had their accounts exposed. The stolen data included customer names, card numbers and expiration dates, and the embedded code on the magnetic strip on the back of the card, Target said.

“I am worried that people might be hacking into my credit card and stealing my information,” said Nicole Niau, a 26-year-old Kaimuki resident who shopped at Target on Oahu several times in the past few weeks and is now skeptical about using plastic at the store in the future.

The data breach did not affect online purchases, the company said.

Target has not disclosed exactly how the breach occurred but said it has fixed the problem.

Target has nearly 1,800 stores in the U.S., including four Hawaii stores — in Hilo and Kona and, on Oahu, in Salt Lake and Kapolei.

———

The Associated Press contributed to this report.

WHAT TO DO

Questions about Target’s credit and debit card breach:

Question: I shopped at Target during that time. What should I do?

Answer: Check your credit card statements carefully. If you see suspicious charges, report the activity to your credit card companies and call Target at 866-852-8680. You can report cases of identity theft to law enforcement or the Federal Trade Commission.

You can get more information about identity theft on the FTC’s website at www.consumer.gov/idtheft, or by calling the FTC at 877-IDTHEFT (438-4338).

Q: Who pays if there are fraudulent charges on my account?

A: The good news is that in most cases consumers aren’t on the hook for fraudulent charges. Credit card companies are often able to flag the charges before they go through and shut down your card. If that doesn’t happen, the card issuer will generally strip charges you claim are fraudulent off your card immediately. And because the fraud has been tied to Target, it’ll be the retailer that ultimately compensates the banks and credit card companies.

Q: What should I look for, and for how long?

A: With lots of extra purchases being made for the holidays, this can be a tricky time of year to remember what you bought, so it’s important to be extra vigilant. According to John Ulzheimer, a consumer credit expert for Credit Sesame, "smart fraudsters" won’t go out and buy a dozen big-screen TVs. They will make small purchases, like something for $29, at an inconspicuous venue like a drugstore, to try to avoid any notice. "What that does is it lets them know they’ve got a valid card that’s still in play, and then they can pepper you to death with it," Ulzheimer said. "So even if it’s a small dollar amount, it doesn’t hurt to verify to make sure it was really you." A thief might also sit on the card information for a period of months, maybe even years, Ulzheimer said, waiting for an initial spurt of vigilance to subside, so it is important to pay attention in the long run.

Q: Should I cancel my credit or debit card?

A: While Ulzheimer says that at this juncture people do not need to cancel their cards, other experts disagree. Eva Velasquez, chief executive of the Identity Theft Resource Center, a nonprofit that helps victims of identity theft, suggested that people who shopped at Target when the data were breached cancel their credit card and get a new one. If shoppers used a debit card, she said they should get a new card and change their PIN — PINs should be changed periodically anyway, so now is a good time to do it.

——

Associated Press and New York Times