The second biggest hack of a retail company in history probably originated overseas, say investigators looking into the theft of 40 million credit and debit card numbers used at Target stores from the day before Thanksgiving until December 15.

There are plenty of suspects, but something this big could probably be pulled off only by the Chinese government, or an ultra-sophistcated criminal organization like the Russian mob.

NBCNews:

Target Corp. is offering its 10 percent employee discount to shoppers this weekend following a massive breach of its customers' credit and debit card information.

Meanwhile, investigators believe that overseas hackers were responsible for the cyberattack that compromised up to 40 million payment cards during the first three weeks of the holiday shopping season, a person familiar with the matter told Reuters.

"Our guests' trust is our top priority at Target and we are committed to making this right," Target CEO Gregg Steinhafel said in a statement on Target's website Friday.

The cyberattack "was a crime against Target, our team members, and most importantly, our guests," Steinhafel said. "We're in this together, and in that spirit, we are extending a 10 percent discount - the same amount our team members receive - to guests who shop in U.S. stores on Dec. 21 and 22. Again, we recognize this issue has been confusing and disruptive during an already busy holiday season. We want to emphasize that the issue has been addressed and let guests know they can shop with confidence at their local Target stores."

The offer is limited to one in-store transaction per guest. Target has also pledged free credit monitoring for affected customers.                      

Government investigators don't believe the overseas hackers had inside help, according to Reuters' source, who was not authorized to talk publicly about the matter.

The source declined to say how the hackers got in or where investigators believe they are based, saying investigators don't want to show their hand to the criminals or afford them a chance to destroy evidence.

As the investigation continued, the blogger who first broke news of the breach, Brian Krebs, reported that data stolen from Target had begun flooding underground markets that sell stolen credit cards.

KrebsOnSecurity.com reported Friday that cards stolen from Target were being offered at "card shops" for rates starting at $20 each and going to more than $100.

A Secret Service spokesman declined comment on the investigation, which the agency is running.

The retailer reported the breach Thursday, a day after Krebs broke news of the attack. Target has declined to say how its systems were compromised and has provided few other details about the case.

Target has a lot to answer for. The breach appears to have been at the point of sale where customers swiped their credit cards to pay for the transaction. One would think that this obvious target of hackers would have had the best security. Also, no word why it took more than 3 weeks for Target to discover the hack.

The arms race between hackers and security companies continues. It looks like the crooks won this round.