Hacker attacks could increase until 2015, when the United States shifts from magnetic stripe technology to EMV smart cards.
The chorus of anger over Target Corp.’s huge data security breach continues to increase, with a member of the Senate Banking Committee calling for the Federal Trade Commission to step up its involvement.
Standing outside a Jersey City, N.J., Target store on Thursday morning, Sen. Robert Menendez, D-N.J., announced that he had written to the Federal Trade Commission asking the agency to brief him on its efforts to protect consumers from data breaches.
“Unfortunately, these data breaches are becoming increasingly common,” Menendez wrote in his Dec. 20 letter to FTC Chairwoman Edith Ramirez.
At least two other Democratic lawmakers have spoken out about the 19-day attack on Target’s card-swiping terminals that exposed the credit and debit card information of 40 million customers.
Sen. Richard Blumenthal, D- Conn., has urged the FTC to look into the incident, noting that the agency has the authority to investigate the privacy and information-security policies of companies.
“Given the scope and duration of Target’s recent data breach, it appears that Target may have failed to employ reasonable and appropriate security measures to protect personal information,” Blumenthal wrote in his Dec. 22 letter.
Likewise, Sen. Chuck Schumer, D-N.Y., has called on the Consumer Financial Protection Bureau to conduct a full investigation.
The U.S. Secret Service and the Justice Department are investigating the theft, which occurred after malicious software was inserted onto the point-of-sale terminals at the registers where customers swipe their cards. It affected people who bought merchandise with any type of credit or debit cards, including Target’s own REDcard, in Target’s U.S. stores from Nov. 27 to Dec. 15.
Target has emphasized that it is not being investigated by the agencies.
“We are focused on partnering with the authorities who are investigating this crime against Target and our guests, and helping our guests understand what they need to know and what steps they can take,” Target spokeswoman Katie Boylan said Thursday.
Meanwhile, lawsuits from angry Target shoppers are piling up in courts around the country. The Minneapolis-based retailer faces more than a dozen such legal actions, at least three of which were filed in Minnesota.
It has been just more than a week since Internet security blogger Brian Krebs broke the news of the breach, and the nation’s No. 2 discount retailer continues working to contain the damage. Anxious shoppers have swamped the company’s phone lines, stoking frustrations.
It isn’t clear how much financial fraud has been committed with the stolen information, which included the CVV security codes embedded in the magnetic stripes on the cards. Krebs has said that stolen card data is being traded in black market “card shops” for $20 to more than $100 per card.
Target has repeatedly said that the security breach did not compromise debit card personal identification numbers (PINs), but would not elaborate.
Nonetheless, JPMorgan Chase & Co. is reissuing debit cards for 2 million customers and limiting transactions until the new cards arrive.
Santander Bank, based in Boston, is limiting the daily withdrawals on Santander and Sovereign branded debit and credit cards that were used at Target during the breach period, while it monitors them for suspicious activity.
Data security professionals say the breach is a glaring example of how vulnerable the United States is to fraud because it has hung on to creaky 1960s-1970s magnetic-stripe technology, partly because of the expense of changing it. The country is a laggard in the global shift to EMV chip cards, which are smart cards with sensitive information embedded in chips. (EMV stands for Europay, MasterCard and Visa.)
There is no hard deadline, but by October 2015 retailers are supposed to be ready to accept the new smart cards because that’s when the responsibility for fraudulent transactions shifts to the least-secure party. Retailers who aren’t ready to accept EMV cards on that date will be held responsible for any fraud, said Randy Vanderhoof, executive director of the Smart Card Alliance in Princeton, N.J.
EMV technology makes it much more difficult to clone a card because the data is more secure inside a chip that can’t be easily duplicated. Also, when EMV cards are read at the point of sale, they generate a one-time, unique security code for each transaction. If the data is stolen, it’s unusable.
There is concern that as the U.S. market moves toward October 2015 there could be a surge of thefts as gangs try to take full advantage of the more easily plundered magnetic stripes.
“These attacks could increase between now and 2015,” Vanderhoof said.
Jennifer Bjorhus • 612-673-4683