Millions of credit and debit card holders who shopped at Target (TGT) stores may be at risk of experiencing identify theft after a data breach at its stores.

The discount chain has revealed that hackers penetrated its store systems over between Nov. 27 and ending Dec. 15. During that 19-day span, data from more than 40 million credit and debit cards may have been compromised. The company spotted and repaired the data breach almost three weeks after it started, Reuters notes.

Target says that thieves had collected card numbers, expiration dates and customer names, along with other transaction data. That information could leave consumers vulnerable to identify theft. A media source says that hackers installed software at store card-swipe systems, allowing them to exploit the data breach to collect data.

The chain says it has alerted law enforcement agencies and financial institutions and is working with an outside investigator to trace the hackers and mitigate the damage from the data breach.

In October, software giant Adobe (ADBE), revealed a data breach that had allowed hackers to obtain personal and credit card data for 2.9 million customer accounts.

TGT shares fell almost 2% in Thursday trading.