By Jim Spencer

Star Tribune

WASHINGTON — The hackers who stole data from Target Corp. were “highly technical and sophisticated” and likely were located outside the United States, a Secret Service official told a House subcommittee looking into one of the biggest thefts of computerized information in the country’s history.

William Noonan, the deputy special agent in charge of criminal investigations of cybercrimes, said Tuesday that the hackers who tapped financial and personal information affecting up to 110 million Target customers were well-organized and studied the company before finding a way into its computer system.

Noonan said the malware inserted into the Target system was different than malware that infected retailer Neiman-Marcus, which also suffered a cyber-attack in the second half of 2013.

Noonan said the Secret Service doesn’t know if the same hackers attacked both companies. But the methods of operation looked a lot alike.

“The malware used to infect the computers systems were not off the shelf,” Noonan said.

“So it was specifically designed for Target,” concluded Rep. Lee Terry (R. Neb.)

In addition, the Target malware was tweaked in such a way that it could not be spotted by any commercially available computer system protections, said Lawrence Zelvin, who directs cybersecurity operations for the Department of Homeland Security.

But Lisa Madigan, the Illinois Attorney General who co-chairs a multi-state investigation of the Target and Neiman-Marcus breaches, said companies continue to make simple mistakes.

Madigan would not discuss the details of her Target/Neiman-Marcus inquiry. But she outlined what she is looking for: “To confirm that companies notified their customers within a reasonable timeframe and satisfied the requirements” of state laws and “to ensure that companies suffering breaches took reasonable steps to protect their customers’ sensitive data from disclosure.”

Common problems include failure to use strong passwords, failure to encrypt consumer information and failure to apply available “patches” that update computer protections.

Target has said that hackers gained access to its system by stealing a vendor’s credentials and signing on to its network. The company also said some of its customer information was stolen before it could be encrypted.

Target offered virtually identical testimony in the House Wednesday as it did before the Senate Judiciary Committee Tuesday.

As he did in his Senate testimony, Target chief financial officer John Mulligan told the House subcommittee that the company suffered the data breach despite having “firewalls, malware detection software, intrusion detection and prevention capabilities and data loss prevention tools.”

“We perform internal and external validation and benchmarking assessments,” Mulligan added. “And, as recently as September 2013, our systems were certified as compliant with the Payment Card Industry Data Security Standards.”

Terry asked Mulligan if Target suffered a “process failure” in its computer protection protocols.

“We don’t understand that today,” Mulligan replied.

Mulligan also could not explain why Target was able to find malware within three days after the U.S. Justice Department told the company of suspicious credit card activity on June 12, but could not find it through its own credit and debit card security system when the attack occurred.

“We’re trying to find out why,” Mulligan told the subcommittee, adding that he did not know when Target might have the answer.

Distributed by MCT Information Services