Attorney General Eric H. Holder Jr. told lawmakers Wednesday that the Justice Department will find the hackers who lifted 40 million debit and credit card numbers from Target customers.
Appearing before the Senate Judiciary Committee, Holder confirmed that his agency is investigating the holiday heist that exposed vulnerabilities in the nation’s credit card system. Target first acknowledged the involvement of the Justice Department late last month, a week after warning customers that their account data may have been nabbed.
Holder said the government is working to find not only the perpetrators, but also anyone who uses the stolen data for credit card fraud. Hackers also grabbed personal information, including names, home addresses and telephone numbers, of up to an additional 70 million Target customers in that attack.
“The Department of Justice takes seriously reports of any data breach, particularly those involving personally identifiable or financial information, and looks into allegations that are brought to its attention,” he said.
The Secret Service has been assisting Target in the retailer’s investigation into the data breach, the company said. The nation’s second-largest retailer said it became aware of the cyberattack Dec. 15. Target issued an apology and offered customers a free year of credit monitoring and identity-theft protection.
Target confirmed Wednesday that its investigation indicated that the hacker stole a vendor’s credentials to access its system.
In the ensuing weeks, luxury retailer Neiman Marcus revealed that 1.1 million of its customers had also been affected by a three-month data breach. The cyberattack has resulted in 2,400 cards from customers being used in fraudulent transactions so far.
Security firm IntelCrawler identified a Russian teenager as the author of the malware that was probably used in the cyberattacks against Target and Neiman Marcus. The firm said it expects more retailers to announce that their systems were breached, because more than 60 versions of the malware have been sold to cybercriminals overseas.
This month, the FBI warned retailers of more attacks to come after discovering 20 breaches in the past year caused by the same malware that corrupted Target’s system, according to a person familiar with the case who was not authorized to speak publicly. The Reuters news agency first reported on the FBI report, which the bureau declined to discuss.
It is unclear whether Justice is investigating breaches at any other retailers. Officials at the department did not respond to requests for further comment.
The breadth of the attack on Target raised questions on Capitol Hill about the safety of customers’ data. Senate Democrats, including Robert Menendez (N.J.) and Mark R. Warner (Va.), requested a hearing, slated for next week, to examine whether retailers and financial service providers are doing enough to protect against fraud and identity theft. Staff on the House Oversight and Government Reform Committee plan to hold a briefing Thursday with executives from Target, according to a person familiar with the matter who was not authorized to speak publicly. The committee has scheduled a series of briefings with key actors, including credit union trade groups and the Federal Trade Commission, for information on threats to retailers’ data security, the person said.
Sen. Richard Blumenthal (D-Conn.), meanwhile, has urged the FTC to launch an investigation into Target’s security practices. The agency can bring an enforcement action against any company that fails to safeguard their customers’ personal information.
FTC officials would not confirm whether the agency is investigating Target, but the agency has brought dozens of similar cases in the past. Rite Aid, for instance, settled charges in 2010 that it failed to protect sensitive financial and medical information of customers and employees.
Most cases result in consent orders that force the company to establish tighter controls and subject it to routine audits, said Kim Peretti, a lawyer at Alston & Bird.
“It’s been relatively common that companies that disclose consumer data breaches face inquiries by either the FTC or state attorneys general,” she said. “They are very active in that space and have been increasingly active in that space.”
Target spokeswoman Molly Snyder said the company is in communication with the FTC, but she declined to provide details.