The giant retailer acknowledged this morning that intruders penetrated its systems beginning the day before the holiday, and maintained access for more than two weeks, potentially stealing the credit and debit card details of an estimated 40 million customers.

The breach, which was first reported by security journalist Brian Krebs on Wednesday, continued through December 15 and may have affected all locations nationwide. Customers who shopped through Target’s online storefront are not believed to have been affected.

The thieves breached the point-of-sale system (POS) and stole customer magstripe data, including names, credit or debit card numbers, expiration dates and everything else needed to make counterfeit cards. Target did not indicate if PIN numbers were also taken, which would allow the thieves to use the account data to withdraw cash from ATMs.