Target: Stolen vendor data led to breach, costs reach $153M

The hackers who stole credit card numbers from Target (NYSE: TGT) have been tracked back to electronic credentials stolen from a vendor. The discovery is the first indication of how Target's POS systems were breached, resulting in the theft of at least 70 million credit and debit card numbers.

Speaking to The Wall Street Journal, Target spokeswoman Molly Snyder wouldn't identify the vendor or type of credentials since the investigation into the malware attack is ongoing. She did say, however, that since the breach was discovered on Dec. 15, the company has taken extra precautions such as limiting or updating access to some platforms.

The U.S. Justice Department on Wednesday said it has joined the investigation, which already includes the FBI and the Secret Service, to track down the theives responsible for the attack. U.S. Attorney General Eric Holder told the Senate Committee that his office is "committed to working to find not only the perpetrators of these sorts of data breaches - but also any individuals and groups who exploit that data via credit card fraud." 

Last week, some of the stolen card numbers turned up in the arrest of a pair of Mexican citizens at the U.S.-Mexico border. A few days later, the FBI warned U.S. retailers to prepare for more data breaches involving the same kind of RAM-scraping malware used against Target.

In the aftermath of the Target attack, U.S. banks have spent $153 million cleaning up the mess it has created according to data from the Consumer Bankers Association. Over 15.3 million bank cards have been replaced and banks have had to pay for extended branch hours and additional customer service staff in the breach's wake. Many banks have also had to reimburse customers who lost money when their stolen card numbers were used for unauthorized purchases. 

Although banks are footing the bill for the costs thus far, it's likely that Target will end up bearing some of the costs, too. Banks have sued merchants following large security breaches in the past. The 2007 data breach at T.J. Maxx cost the company a reported $256 million in settlements with banks and credit card companies.

For more:
-See this Wall Street Journal article 
-See this Star Tribune article
-See this New York Times article

Related stories:
More Target trouble: Jobs slashed amid reports the breach could have been prevented
Target invests $5 million in security education, offers free credit monitoring to customers for 1 year
Target data breach gets worse, 110 million shoppers at risk
Target now says 70 million people affected by breach
Target admits encrypted PIN data was stolen in data breach