An email sent to some customers by the retailer on Monday said it believes cross-border shoppers who went to U.S. Target stores between Nov. 27 and Dec. 15 were affected.
Target said its investigation found that personal information, like the names, addresses, emails and phone numbers of some Canadians may have been stolen.
The breach does not extend to payment data for the debit and credit cards of Canadians, which is what was taken from U.S. customers, it said.
"Target Canada stores were not impacted by the payment card breach," added president and CEO Gregg Steinhafel in the message.
Spokeswoman Lisa Gibson says the email was only sent to Canadian shoppers who Target believes could have had their information stolen.
However, the message also went to at least some Target Canada card holders who weren't in the United States over the affected period.
The security breach is believed to have involved 40 million credit and debit card accounts and the personal information of 70 million customers. Gibson said the number of Canadians affected is estimated to be "well under" one per cent of the total, which represents less than 700,000 customers.
Target has said Canadian stores weren't affected because they use a different payment system at cash registers.
The email to Canadian shoppers said Target has hired a third-party forensics firm to investigate the incident. It also plans to announce a "a credit-monitoring offer for impacted Canadian guests."
In the United States, police say account information stolen during the Target security breach is now being divided up and sold off regionally.
A South Texas police chief said officers had arrested two Mexican citizens carrying 96 fraudulent credit cards.
The cards, used by 27-year-old Mary Carmen Garcia and 28-year-old Daniel Guardiola Dominguez, both of Monterrey, Mexico, carried the account information of South Texas residents, said McAllen, Tx. Police Chief Victor Rodriguez.
They were used to buy tens of thousands of dollars' worth of merchandise at national retailers in the area.
The two were arrested Sunday morning at the border trying to re-enter the United States.
Target is just the latest retailer to be hit with a data breach problem. TJX Cos., which runs stores such as T.J. Maxx, Marshall's and Winners, had a breach that began in July 2005 that exposed at least 45.7 million credit and debit cards to possible fraud. The breach wasn't detected until December 2006.
In June 2009 TJX agreed to pay $9.75 million in a settlement with multiple states related to the massive data theft but stressed at the time that it firmly believed it did not violate any consumer protection or data security laws
— With files from The Associated Press
Also on HuffPost