By Jim Finkle and Mark Hosenball
BOSTON/WASHINGTON (Reuters) - Target Corp said on Wednesday that the theft of a vendor's credentials helped cyber criminals pull off a massive theft of customer data during the holiday shopping season in late 2013.
It was the first indication of how networks at the No. 3 U.S. retailer were breached, resulting in the theft of about 40 million credit and debit card records and 70 million other records with customer information such as addresses and telephone numbers.
"The ongoing forensic investigation has indicated that the intruder stole a vendor's credentials, which were used to access our system," Target spokeswoman Molly Snyder said in a statement.
She declined to elaborate on what type of credentials were taken, who the vendor was, or to provide other details.
The company's shares have been hurt since the data breach was announced on December 19, and the incident has drawn scrutiny from lawmakers as well as federal law enforcement and consumer protection agencies.
Target closed at $56.89 per share on the New York Stock Exchange on Wednesday, down 1.7 percent, after reaching its lowest level since July 2012.
Earlier on Wednesday U.S. spy chiefs called on Congress to draft stricter requirements for how retailers and other private businesses should inform government agencies and customers about big breaches of personal and financial data.
The comments came as Attorney General Eric Holder confirmed that the Department of Justice was investigating the massive hacking at Target.
Separately, at Wednesday's threat hearing before the Senate Intelligence Committee, Barbara Mikulski of Maryland, where the National Security Agency is headquartered, asked intelligence chiefs if media leaks by former NSA contractor Edward Snowden had affected U.S. cybersecurity efforts.
"Is the impact of the Snowden affair slowing us down in our work to be more aggressive in the cybersecurity area?" Mikulski asked.
FBI Director James Comey said political uproar over surveillance and Snowden's leaks had complicated discussions about how to fight consumer data breaches.
"There is the threat of fraud and theft because we've connected our lives to the Internet," Comey said. "We need to make sure that the private sector knows the rules of the road and how we share that information with the government."
Some U.S. officials with responsibility for cybersecurity have complained privately that, while states have created a "patchwork" of local rules requiring businesses to report breaches of consumer data to authorities and the public, there are no similar federal requirements.
Congress has been wrestling for years with proposals for legislation on data security but has been unable to reach agreement. There is no national standard to govern how and when businesses that suffer consumer data breaches must advise their customers and federal agencies.
HOLDER CONFIRMS PROBE
Holder, testifying at a Senate Judiciary Committee hearing, said the Justice Department would seek the perpetrators of the Target breach as well as "any individuals and groups who exploit that data via credit card fraud."
"While we generally do not discuss specific matters under investigation, I can confirm the department is investigating the breach involving the U.S. retailer, Target," Holder said.
The Secret Service has taken the lead investigating the breaches at Target and other retailers, including Neiman Marcus and Michaels Companies Inc, the largest U.S. arts and crafts retailer.
Reuters reported on January 23 that the FBI also warned U.S. retailers to prepare for more cyber attacks after discovering about 20 hacking cases over the past year that involved the same kind of malicious software used against Target during the holiday shopping season.
CONGRESS PILES ON
As lawmakers accelerated to gather information about the data breaches, Senator Jay Rockefeller, Democratic chairman of the Judiciary Committee, took a new tack, asking Target why the company had not yet reported its data breach to the U.S. Securities and Exchange Commission.
"Your failure thus far to provide this information to your investors does not seem consistent with the spirit or the letter of the SEC's financial disclosure rules," Rockefeller wrote in the three-page letter to Target's chief executive.
Democratic members of the Energy and Commerce Committee on Wednesday asked Neiman Marcus for documents relating to the upscale retailer's recent cybersecurity breach. Last week, the same lawmakers asked Target executives to provide an array of internal documents.
On Thursday, members of the powerful House Oversight Committee, which has broad investigative jurisdiction, will hold a telephone briefing with Target representatives, during which detailed questions are expected to be asked about how and why the data breaches occurred.
Target's Snyder did not provide details about upcoming meetings but reiterated that Target was "continuing to work with elected officials to keep them informed and updated as our investigation continues."
At least three different congressional panels are slated to hold hearings, beginning next week. Target's chief financial officer and a Neiman Marcus official will appear before the Senate Judiciary panel on Tuesday.
(Additional reporting by Dhanya Skariachan in New York, and Lawrence Hurley, Susan Heavey and Alina Selyukh in Washington; Writing by Ros Krasny; Editing by Howard Goller, Bernadette Baum, Tom Brown and Ken Wills)