It’s not the happiest of holidays for Target. According to Time Magazine, the discount retailer corporation has been hit by a potentially devastating lawsuit over a recent hack that may have left as many as 40 million customers vulnerable to identity theft. The lawsuit was filed by a California woman named Jennifer Kirk and lodged with a San Francisco federal court. Kirk wants to turn her claim into a massive class-action suit, and is hoping to recruit other Target customers affected by the hack.

The data breach, which reportedly occurred between November 27th and December 15th, may impact any customer who shopped in a Target store at some point during those two and a half weeks and used a credit or debit card to complete a transaction. The breach was the result of a computer virus, which somehow found its way into the sales terminals used to swipe consumer’s credit or debit cards. Target estimates that some 40 million of its shoppers could have been put at risk as a result of the security flaw. Hackers may now have the customer names, card numbers, expiration dates, and card verification values of any card used during the breach.

Kirk has gone on record accusing Target of failing “to implement and maintain reasonable security procedures and practices.” She believes that, considering the sheer number of customers who shop at Target and the sensitive nature of their payment information, the company should have had much stronger safeguards in place to prevent or correct a security breach of this scope. If she finds enough people who agree with her, Target could stand to lose a fortune in class action settlements.

It isn’t likely that Kirk will have trouble finding upset shoppers. This data breach could not have come at a worse time for target, as the 2.5-week span of the hack encompassed not only the bulk of popular Christmas shopping days, but also Black Friday – the biggest shopping and sales day of the year, and one that almost undoubtedly saw tens of millions of credit/debit card swipes on its own.

As the lawsuit builds, Target is doing their part to lessen the blow of the security breach for customers. In a corporate statement published on December 19th, the company expressed its regrets for the hack and gave customers tips and resources for how to deal with identity theft if they find themselves victimized. The company stated that it was “partnering with a third-party forensics team” to investigate the security hole. The government has also put the Secret Service on the case.