Target Corp. was sued by a Christmas shopper claiming she may have been exposed to identity theft from a data breach affecting 40 million debit and credit cards.

The lawsuit, filed Dec. 19 in federal court in San Francisco, follows the Minneapolis-based company's statement that the information was breached from Nov. 27 to Dec. 15, and that authorities and financial institutions were alerted immediately.

The lawsuit, based on allegations of invasion of privacy and negligence, claims the stolen data may permit the counterfeiting of cards by encoding the information onto any cards with a magnetic strip, and may have also revealed customers' personal codes for debit cards.

"Target failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach," according to the complaint.

The statement and ensuing lawsuit come as U.S. retailers gear up for the end of a holiday shopping season that ShopperTrak predicts will be the slowest since 2009.

Jennifer Kirk, a California resident, seeks to represent other Target customers affected by the security breach in a class-action lawsuit.

Molly Snyder, a spokeswoman for Target, declined to immediately comment on the lawsuit.

Target is also accused in the complaint of posting its Dec. 19 statement about the data breach as it was reported in the media on its corporate website, and not the shopping site that customers regularly visit. Target claimed to have "identified and resolved the issue," according to the complaint, which conveyed a "false sense of security to affected customers," according to the complaint.

The case is Kirk v. Target Corp., 13-cv-05885, U.S. District, Northern District of California (San Francisco).

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry