MINNEAPOLIS — The Justice Department began investigating the data security breach plaguing Target and its shoppers, the company said Monday as banks fought to head off fraud risk.
Target disclosed the Justice Department's involvement in a brief statement that also said its top lawyer planned a conference call with state attorneys general to discuss the breach and its impact. Target did not elaborate on the Justice Department's focus, and a spokesman for the government agency declined to comment.
IT security experts said it may indicate a suspect or suspects have been identified. "I can't see another reason they would be involved at this point," said Al Pascual, security risk and fraud analyst at Javelin Strategy & Research.
Target finally confirmed Monday that the attack involved malicious software that somehow got on the point-of-sale card-swiping devices in the checkout aisles of Target's U.S. stores. The attack exposed debit and credit card information of 40 million customers who bought merchandise in U.S. stores from Nov. 27 to Dec. 15.
A Tampa woman who said she shopped at Target during those dates has filed a lawsuit against the corporation in federal court.
In a suit Friday, a plaintiff identified as Maria Cruz asserts Target was negligent, breached it fiduciary duty and invaded her privacy. Her suit does not say that she has suffered any fraudulent charges as a result, but she has asked a judge to certify her suit as a class action.
Target has not yet responded.
Nearly any type of credit and debit card used for purchases at the store during the 19-day period was affected, including Target's own Redcard debit and credit cards. The data breach is among the largest recorded and remains under investigation by the U.S. Secret Service and an outside forensics company working with Target. To date, little actual card fraud related to the data security breach has been reported.
Target has repeatedly said the heist did not compromise debit card PIN numbers. Still, some institutions have decided to proactively reissue new debit cards and PIN numbers to affected customers. JPMorgan Chase imposed daily limits on ATM debit withdrawals and debit card purchases of about 2 million of its customers whose accounts were exposed. There's pressure not to cancel cards since it costs banks about $4 to $5 to replace each consumer's card.