House Oversight Committee investigating Target security breach
By Mark Hosenball
WASHINGTON (Reuters) – A House of Representatives committee with broad investigative jurisdiction has turned up the heat on Target Corp, demanding that the No. 3 U.S. retailer turn over internal documents and messages describing how and when it learned of a recent massive consumer data breach.
In a letter made available on Tuesday to Reuters, the House Committee on Oversight and Government Reform requested that Target turn over all documents or communications generated between November 1 and December 13, in which Target employees or “agents” discuss “any suspicion” that a data breach had occurred.
The committee set a deadline of March 10 for Target to turn over the materials. If the company does not comply, the committee’s majority Republicans have the power to issue a subpoena forcing the company’s compliance.
The news came a day before the company is expected to report fourth-quarter earnings and its leaders face Wall Street analysts for the first time since the breach.
Several analysts expect Target to slash its share buybacks as it copes with costs tied to the breach, which some estimate will cost the company $500 million to $1.1 billion.
The 19-day breach of Target’s computer networks over the holiday shopping period resulted in the theft of an estimated 40 million credit and debit card records and 70 million other records with customer information, such as addresses and telephone numbers.
In the letter dated Monday, the House committee also requested any documents generated between November 1 and December 19 referring to discussions about notifying others about the data breach, and any documents generated since December 12 in which any federal agency advised the company to avoid providing information to Congress.
Congressional sources said that this is the first time the majority on the Republican-led committee had sent such a request to Target.
The sources said the letter was prompted, at least in part, after committee officials felt dissatisfied with responses given by Isaac Reyes, an official with Target’s government relations department, during a January 30 conference call about the data breach.
The letter was signed by Oversight Committee Chairman Darrell Issa, a California Republican who has garnered headlines for his fierce criticism of the Obama administration’s performance on a wide range of issues.
The committee has wide jurisdiction to investigate government and private business activity.
In its letter, the panel hints that the retailer may not have been entirely forthcoming in its statements to the public and Congress about when it learned of the data breach.
Investigators believe that the hackers managed to break into Target’s payment network by first breaching a “data connection” between the U.S. retailer and a heating and ventilating systems contractor based near Pittsburgh.
The committee’s letter noted that in testimony before a Senate Judiciary Committee on February 4, John Mulligan, Target’s chief financial officer, testified that the company had no knowledge that malware related to the data breach had been installed in its systems before receiving a notification from the U.S. Justice Department on December 12.
The House oversight committee said that statement did not “clarify” when Target learned that it could have been the victim of a breach, since cybersecurity blog KrebsonSecurity reported that Target may have been warned earlier about a problem.
In January, minority Democrats on the House Energy and Commerce committee also sent a letter to Target requesting documents.
Congressional aides have said that Target responded to an earlier request for data issued by Democrats on the House Energy and Commerce Committee but that response, which has not been made public, did not provide new insight.
Asked why the Republican majority leaders on that committee did not push for the documents, Representative Lee Terry of Nebraska on February 5 said Target had been forthcoming during conversations with his staff and such pressure was unwarranted “until they don’t show that they are willing to give us data.”
A Target spokeswoman did not respond to a request for comment.
Target shares, which have fallen about 15 percent since the data breaches were made public in December, were up 0.6 percent in afternoon trading at $56.51.
(This version of the story corrects the deadline for documents in paragraph three to March 10 from March 1.)
(Additional reporting by Alina Selyukh and Dhanya Skariachan; Editing by Ros Krasny, Bill Trott and Amanda Kwan)
[Image via Agence France-Presse]