Target Corp. shares made strong gains after it reassured investors that customers were beginning to return to its U.S. stores, suggesting that the impact of a massive data breach may not be as severe as some had feared.

The third-largest U.S. retailer said on Wednesday that customer traffic had started to improve this year after falling significantly at the end of the holidays when news of the cyber attack and theft of payment card data spooked shoppers.

Chief Financial Officer John Mulligan said on a conference call he expected first-quarter sales at its established U.S. stores to be flat to down 2 percent and so far in February, they have been running within that range and nearly flat to last year.

Target shares, which had fallen 11 percent since news of the breach broke before Wednesday, were up 6.8 percent at $60.37, their highest level for almost six weeks.

It was the first time the Minneapolis-based chain had faced Wall Street since the breach, which led to the theft of about 40 million credit and debit card records and 70 million other records with information such as addresses and phone numbers of shoppers compromised.

Earlier on Wednesday, Target warned that costs tied to the cyber attack could hurt its results in the first quarter and beyond.

Still, its shares rose as its full-year outlook was better than some investors had expected. Mulligan said on the call that the outlook did not include potential additional costs related to the data breach.

$44 million out of $61 million in expenses related to the breach were offset by an insurance payment, bringing the net impact on Target down to $17 million in breach-related expenses.

The retailer now sees 2014 buyback capacity at $1 billion to $2 billion as it sets aside money to cope with the breach and tries to stay away from borrowing more to preserve its credit rating. It had originally planned to buy back up to $4 billion of shares this year.

Target reported a 46 percent drop in net profit in the crucial holiday quarter and reported $61 million in costs related to the breach, much of which was covered by insurance. It did not provide an estimate on future expenses related to the cyber attack, though it said they “may have a material adverse effect” on results of operations through the end of the current year and beyond.

“It is going to take some time for this to heal,” said Sean Naughton of Piper Jaffray, who estimates that transactions were down “in the high single digits” in the weeks after the breach was disclosed.

Target said it sees first-quarter profit of 60 cents to 75 cents, excluding expenses related to the data breach and other items. Analysts expect the company to report quarterly profit of 85 cents, according to Thomson Reuters I/B/E/S. For the full year, Target sees earnings of $3.85 to $4.15 a share on that basis, compared with the analyst forecast of $4.15 per share.

Naughton said that Target’s reputation for having a top-rate shopping experience had been tarnished by the fact that many customers have either had to have payment cards replaced or find themselves checking their monthly statements more closely, giving them a negative association with the retailer.

He noted that Target posted a 5.5 percent drop in transaction count during the quarter, the worst he had ever seen, even steeper than the 4.8 percent drop reported when the United States was in the midst of a financial crisis in the fourth quarter of 2008.

Sales fell 3.8 percent to $21.52 billion in the fourth quarter, missing the already lowered estimate of $22.37 billion, according to Thomson Reuters I/B/E/S. Sales at U.S. stores open at least a year, fell 2.5 percent.

The data breach “took the wind out of Target’s sails – and unfortunately sales,” said Sandy Skrovan, U.S. Research Director at Planet Retail.

Net earnings fell to $520 million, or 81 cents a share in the three months that ended on Feb 1, from $961 million, or $1.47 a share, a year earlier. Excluding its losses in Canada and a host of items, it earned $1.30 a share. That was at the high end of its lowered forecast from January.

The retailer had already lowered expectations for the fourth quarter. News of the breach has hurt its reputation and stock, and made many on Wall Street take down their profit and sales estimates on Target.

The Breach Effect

Target said of the $61 million in expenses related to the breach during the quarter, $44 million were offset by an insurance payment, bringing the impact to $17 million.

Mark Rasch, a former cyber crimes prosecutor who worked on some of the biggest U.S. payment card breach cases, said that it was too early to estimate how big the bill would be, but it would certainly be in the hundreds of millions of dollars and could top $1 billion. “We know it is going to be big. We just don’t know how big,” he said.

Target has declined to discuss exactly what sorts of costs its cyber insurance will cover or identify its insurers.

Insurers offer cyber policies that cover costs for items such as investigating breaches and repairing networks, compensating credit card issuers for fraudulent activity, fighting lawsuits and responding to regulatory probes.

Target said breach-related expenses may include costs for reissuing cards, lawsuits, government probes and enforcement proceedings, legal expenses, investigative and consulting fees, and capital investments.