Retailer said the credentials were used to hack company systems at checkout.
Target Corp. said Wednesday that the huge data breach it suffered late last year happened after an intruder stole a vendor’s credentials and used them to gain access to the company’s computer system.
A Target spokeswoman wouldn’t identify the vendor or type of credentials because the retailer is in the midst of forensic and criminal investigations into the malware attack, where cybercrooks hijacked debit and credit card information from up to 110 million people.
“We’re conducting an end-to-end review of our systems,” spokeswoman Molly Snyder said in an interview.
In a written statement the company issued in response to questions, Snyder said Target has eliminated the malware and closed the access. She said the Minneapolis-based company has also taken extra precautions such as limiting or updating access to some platforms while the investigation continues.
The new detail about stolen credentials sheds a spark of light on a key question that has circled around the heist: How did the cybercrooks break into Target’s point-of-sale system to insert malicious software?
Data security blogger Brian Krebs, who first broke the news of Target’s breach in December, said he doesn’t know with certainty what vendor or stolen credentials Target is referring to.
In his blog, KrebsOnSecurity, Krebs wrote Wednesday that one of the pieces of malware used in the Target attack appeared to be mimicking a default password from an IT management software product used by many major retailers. The software is produced by Houston-based BMC Software, and he suspects Target uses it.
The default password essentially creates a vulnerable back door built into the software.
“It has a hidden password that not even the people installing the system know about but apparently the bad guys know about it,” Krebs said.
BMC spokesman Mark Stouse said he couldn’t discuss Target’s comments or Krebs’ assertions. “BMC Software has received no information from Target or the investigators about this matter,” he said.
When asked if BMC is part of the investigation, Strouse said: “We are definitely collaborating with McAfee.”
McAfee is a leading computer security company based in Santa Clara, Calif.
Stouse said BMC has no indication that its products “were leveraged or compromised in this attack.
“BMC has alerted our customers to be diligent about potential malware that may be masquerading as a BMC product,” he said in an e-mail.
The Target breach is one of the country’s largest recorded data security breaches. It has forced U.S. banks to issue at least 15 million new credit and debit cards so far to people who bought merchandise in Target stores during the breach period, and is fueling efforts to pass federal legislation to better protect consumer information.
Target’s CFO will appear at a Senate Judiciary Committee hearing Tuesday on the investigation and efforts to safeguard consumer information.
Attorney General Eric Holder told the Senate Judiciary Committee Wednesday that the Justice Department is committed to finding the hackers behind the cyberheist. His remarks were the first official confirmation that the Justice Department is part of the investigation.
“We are committed to working to find not only the perpetrators of these sorts of data breaches, but also any individuals and groups who exploit that data via credit card fraud,” Holder said.
In the Target attack, hackers somehow inserted memory-scraping malware into the point-of-sale systems at the checkout in Target’s U.S. stores that scooped up data from an estimated 40 million credit and debit cards, including about 6.5 million of Target’s Redcard Visa credit cards and Redcard debit cards.
The company later revealed that thieves also stole the partial personal information of 70 million people, including names, mailing addresses, phone numbers or e-mail addresses.
Jennifer Bjorhus • 612-673-4683