Target Corp. on Monday held a conference call with state attorneys general and said malware was involved in its data breach that compromised up to 40 million credit and debit card accounts.
The new developments follow the discount-store chain’s disclosure Thursday of a breach in the point-of-sale system for its nearly 1,800 U.S. stores. The breach caused a tide of bad publicity for the No. 2 general merchandise retailer and generated high volumes of calls and visits to its customer-service phone line and Web site just before Christmas.
At least four state attorneys general asked Target for more information about the breach, a possible precursor to a multistate investigation, according to USA Today. “We have proactively reached out to the state attorneys general and invited them to a call this afternoon with our general counsel where we will help bring them up to date on the data breach that has impacted Target and our guests,” a new statement from Target says.
Target, which already faces several private lawsuits, also said it is working with the U.S. Secret Service and Department of Justice to investigate the breach, which occurred between Nov. 27 and Dec. 15. The company also has hired a unit of Verizon Communications Inc. as forensic investigator.
Meanwhile, Target confirmed that malware was involved in the breach, but said little else about its cause. “Due to the nature of the investigation, the Secret Service has asked not to share many of the details of the forensics and investigation,” Monday’s statement says.
The Krebs on Security Web site says that credit and debit card account data stolen from Target are flooding the black market. Target’s latest statement gave no information about the amount of confirmed fraud on compromised accounts, but on Friday the retailer said that so far it was aware of little such fraud.
JPMorgan Chase and Co., the nation’s largest bank, on Monday raised withdrawal and purchase limits it imposed over the weekend on 2 million Chase debit card holders whose cards were involved in the breach. Cardholders are now limited to $1,000 daily in purchases and $250 in cash withdrawals. The original limits were $300 in purchases and $100 in withdrawals.
Target, which has apologized to its customers, has said its customer-service system strained to keep up with the call and Web-site visit volumes, causing delays. The company said it has communicated with 17 million customers via email “and reminded them that unless they have seen fraudulent activity on their account, there is no urgent need to call.” Target also is communicating with customers via social media. In response to the breach, Target offered 10% off to customers on Saturday and Sunday.