STATE HOUSE NEWS SERVICE

Target, the major retailer with locations throughout Massachusetts, confirmed Thursday “unauthorized access to payment card data” that may have impacted 40 million credit and debit card accounts. The impacts would have been between Nov. 27 and Dec. 15.

“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” Target President, Chairman and CEO Gregg Steinhafel said in a statement.

According to Target’s store locator, there are 36 locations in Massachusetts.

In a Dec. 19 notice on its website, Target reported that it began investigating the incident when company officials learned of it – they did not specify when that was – and said “the incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code).”

Target said customers could contact the company at 1-866-852-8680.

After the Massachusetts-based clothes retailer TJX experienced a major data breach, the Legislature passed a law requiring businesses to notify the Office of Consumer Affairs and Business Regulations and the Office of the Attorney General when informed of a data breach.

Amie O’Hearn Breton, director of communications at the state Office of Consumer Affairs and Business Regulation, estimated that state officials learned of the breach at about 8 a.m. Thursday.

“This is a rapidly evolving situation that we just learned of this morning,” she said during an interview at about 11:15 a.m. Thursday in response to a News Service inquiry made early Thursday morning amid news reports about the breach. “We’re working to determine what’s happened with the breach, how the breach occurred.”

As early as Thursday night, news outlets were reporting that Target was investigating a data breach.

State law calls for companies aware of data breaches to notify the state attorney general’s office and the office of consumer affairs “as soon as practicable and without unreasonable delay” but does not define that term.

During an interview at about 11:15 a.m., O’Hearn Breton said, “We’ve not yet received notification from Target but we will be making outreach to them.”

Target reported on its site that it had “alerted authorities and financial institutions immediately after we discovered and confirmed the unauthorized access, and we are putting our full resources behind these efforts.”

O’Hearn Breton said the office had received three calls Thursday from consumers wondering about their rights.

Consumers concerned that they might be affected by data breaches or identity theft should monitor their credit reports and bank statements, O’Hearn Breton said, and immediately contact their bank or credit card company if they see any unauthorized purchases.

Massachusetts residents are also entitled to one free credit report per year from each of the three credit reporting companies – Equifax, Experion and TransUnion – and O’Hearn Breton suggested consumers take advantage of that option, perhaps requesting reports on staggered dates to check for any unauthorized openings of credit lines.

Target also noted on its site that Massachusetts law allows consumers to place a security freeze on their credit reports, which prohibits a credit reporting agency from releasing any information from a consumer’s credit report without written authorization. The company added that a freeze “may delay, interfere with, or prevent the timely approval of any requests you make for new loans, mortgages, employment, housing or other services.”

Target said it is working with a third-party forensics firm “to conduct a thorough investigation of the incident and to examine additional measures we can take that would be designed to help prevent incidents of this kind in the future.”

At 11:40 a.m., Attorney General Martha Coakley’s office issued a press release with information about how consumers can protection their information against identity theft. Coakley also reported that the AG’s office had contacted Target “to review the circumstances of the breach and the steps the company is taking to address it.”

Coakley reported that Target has determined that online purchases were not affected by the data breach.