MINNEAPOLIS — The Justice Department began investigating the data security breach plaguing Target Corp. and its shoppers, the company said Monday as the nation’s banks fought to head off fraud risk.
The Minneapolis-based retailer disclosed the Justice Department’s involvement in a brief statement that also said its top lawyer planned a conference call with state attorneys general to discuss the breach and its effect. Target did not elaborate on the Justice Department’s focus, and a spokesman for the government agency declined to comment.
IT security experts said it could indicate that a suspect or suspects have been identified.
“I can’t see another reason that they would be involved at this point,” said Al Pascual, security risk and fraud analyst at Javelin Strategy & Research. “It’s too early to say it’s criminal negligence on the part of the company.”
The trendsetting discount retailer has been emphasizing that it was the victim of a sophisticated crime and sought to bolster the public’s confidence by extending a 10 percent discount to shoppers in the stores on Dec. 21 and 22.
Target finally confirmed Monday that the attack involved malicious software that somehow got on the point-of-sale card-swiping devices in the checkout aisles of Target’s U.S. stores. The attack exposed debit and credit card information of 40 million customers who bought merchandise in U.S. stores from Nov. 27 to Dec 15. News of the data attack sent consumers scrambling for information from Target, jamming the company’s phones.
“We have communicated to 17 million guests via email and reminded them that unless they have seen fraudulent activity on their account, there is no urgent need to call,” Target spokeswoman Molly Snyder said Monday in the statement.
The data breach is among the largest recorded and remains under investigation by the U.S. Secret Service and an outside forensics company working with Target.
Over the weekend JPMorgan Chase & Co., one of the country’s largest card issuers, imposed daily limits on ATM debit withdrawals and debit card purchases of about 2 million of its customers whose accounts were exposed in the Target breach.
At first, Chase limited customers to cash withdrawals of $100 a day and total purchases of $300 a day. It has since relaxed the restrictions to cash withdrawals of $250 and total purchases of $1,000 a day.
“We realize this could not have happened at a more inconvenient time with the holiday season upon us,” Chase said in its notice to its customers.
San Francisco-based Wells Fargo & Co., and Minneapolis-based U.S. Bancorp, both said they aren’t canceling or restricting cards.