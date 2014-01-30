By Jim Finkle and Mark Hosenball
BOSTON/WASHINGTON Jan 29 Target Corp
said on Wednesday that the theft of a vendor's credentials
helped cyber criminals pull off a massive theft of customer data
during the holiday shopping season in late 2013.
It was the first indication of how networks at the No. 3
U.S. retailer were breached, resulting in the theft of about 40
million credit and debit card records and 70 million other
records with customer information such as addresses and
telephone numbers.
"The ongoing forensic investigation has indicated that the
intruder stole a vendor's credentials, which were used to access
our system," Target spokeswoman Molly Snyder said in a
statement.
She declined to elaborate on what type of credentials were
taken, who the vendor was, or to provide other details.
The company's shares have been hurt since the data breach
was announced on Dec. 19, and the incident has drawn scrutiny
from lawmakers as well as federal law enforcement and consumer
protection agencies.
Target closed at $56.89 per share on the New York Stock
Exchange on Wednesday, down 1.7 percent, after reaching its
lowest level since July 2012.
Earlier on Wednesday U.S. spy chiefs called on Congress to
draft stricter requirements for how retailers and other private
businesses should inform government agencies and customers about
big breaches of personal and financial data.
The comments came as Attorney General Eric Holder confirmed
that the Department of Justice was investigating the massive
hacking at Target.
Separately, at Wednesday's threat hearing before the Senate
Intelligence Committee, Barbara Mikulski of Maryland, where the
National Security Agency is headquartered, asked intelligence
chiefs if media leaks by former NSA contractor Edward Snowden
had affected U.S. cybersecurity efforts.
"Is the impact of the Snowden affair slowing us down in our
work to be more aggressive in the cybersecurity area?" Mikulski
asked.
FBI Director James Comey said political uproar over
surveillance and Snowden's leaks had complicated discussions
about how to fight consumer data breaches.
"There is the threat of fraud and theft because we've
connected our lives to the Internet," Comey said. "We need to
make sure that the private sector knows the rules of the road
and how we share that information with the government."
Some U.S. officials with responsibility for cybersecurity
have complained privately that, while states have created a
"patchwork" of local rules requiring businesses to report
breaches of consumer data to authorities and the public, there
are no similar federal requirements.
Congress has been wrestling for years with proposals for
legislation on data security but has been unable to reach
agreement. There is no national standard to govern how and when
businesses that suffer consumer data breaches must advise their
customers and federal agencies.
HOLDER CONFIRMS PROBE
Holder, testifying at a Senate Judiciary Committee hearing,
said the Justice Department would seek the perpetrators of the
Target breach as well as "any individuals and groups who exploit
that data via credit card fraud."
"While we generally do not discuss specific matters under
investigation, I can confirm the department is investigating the
breach involving the U.S. retailer, Target," Holder said.
The Secret Service has taken the lead investigating the
breaches at Target and other retailers, including Neiman Marcus
and Michaels Companies Inc, the largest U.S. arts
and crafts retailer.
Reuters reported on Jan. 23 that the FBI also warned U.S.
retailers to prepare for more cyber attacks after discovering
about 20 hacking cases over the past year that involved the same
kind of malicious software used against Target during the
holiday shopping season.
CONGRESS PILES ON
As lawmakers accelerated to gather information about the
data breaches, Senator Jay Rockefeller, Democratic chairman of
the Judiciary Committee, took a new tack, asking Target why the
company had not yet reported its data breach to the U.S.
Securities and Exchange Commission.
"Your failure thus far to provide this information to your
investors does not seem consistent with the spirit or the letter
of the SEC's financial disclosure rules," Rockefeller wrote in
the three-page letter to Target's chief executive.
Democratic members of the Energy and Commerce Committee on
Wednesday asked Neiman Marcus for documents relating to the
upscale retailer's recent cybersecurity breach. Last week, the
same lawmakers asked Target executives to provide an array of
internal documents.
On Thursday, members of the powerful House Oversight
Committee, which has broad investigative jurisdiction, will hold
a telephone briefing with Target representatives, during which
detailed questions are expected to be asked about how and why
the data breaches occurred.
Target's Snyder did not provide details about upcoming
meetings but reiterated that Target was "continuing to work with
elected officials to keep them informed and updated as our
investigation continues."
At least three different congressional panels are slated to
hold hearings, beginning next week. Target's chief financial
officer and a Neiman Marcus official will appear before the
Senate Judiciary panel on Tuesday.