The U.S. Securities and Exchange Commission won’t pursue an enforcement action against Target Corp. after hackers stole data on 40 million credit and debit cards during the 2013 holiday shopping season, according to a regulatory filing.

The agency finished its probe during Target’s second quarter this year, which ended Aug. 1, the Minneapolis-based retailer said in a regulatory filing Tuesday. The Federal Trade Commission and state attorneys general are still investigating the breach.

Hackers stole credit- and debit-card data, as well as personal information, for as many as 110 million Target customers during the 2013 holiday season. The retailer has reached a settlement with Visa Inc. over the attack and will pay as much as $67 million to banks that issue Visa cards, a person familiar with the matter said at the time. Target also agreed to pay $10 million to customers whose personal information may have been taken.

Molly Snyder, a spokeswoman for Target, wasn’t immediately able to comment on the filing.

The SEC has the authority to impose penalties on companies that don’t disclose the magnitude of data breaches or fail to properly detail their policies and procedures in protecting consumer data. Erin Stattel, an SEC spokeswoman, declined to comment on the case.

The Federal Trade Commission also has the authority to oversee corporate cybersecurity practices. In an Aug. 24 ruling, the U.S. Court of Appeals for the Third Circuit, in a case involving Wyndham Worldwide Corp, said the FTC could sue the hotel chain for failing to secure its computers from hackers.

Wyndham argued that the company was itself a victim and was being penalized unfairly.

According to the FTC, the agency has already settled 53 data-security cases against companies including SnapChat Inc., Reed Elsevier Inc. and Credit Karma Inc.