Target CFO will face Congress over data breach on Tuesday

WASHINGTON – Target Corp.'s chief financial officer heads to Capitol Hill Tuesday to face congressional questions for the first time about one of the largest computer data breaches in U.S. history.

CFO John Mulligan will testify before the Senate Judiciary Committee, along with federal officials charged with protecting consumer information. Mulligan returns to the witness stand Wednesday before a subcommittee of the House Energy and Commerce Committee.

Lawmakers are expected to grill Mulligan on the details of how hackers gained access to the payments data or personal information of up to 110 million Target customers late last year. The vast data breach at the retail giant remains under investigation by the Secret Service, the Department of Justice and a forensics team. State attorneys general have joined to conduct their own probe of the theft.

Democrats on the House ­committee have pushed ­Target to provide detailed information about its computer security system as well as its discovery of the breach in mid-December.

"Security experts have found that the hackers may have been able to break into systems at Target and other stores as a result of weak passwords on point-of-sale systems," Reps. Henry Waxman, D-Calif., Diana DeGette, D-Colo., and Jan Schakowsky, D-Ill., wrote to Target CEO Gregg Steinhafel in late January.

The company has said little publicly about the origins of the breach or how it was discovered. Its explanation for why the company waited several days after its discovery to inform customers was that it wanted to prepare stores and call centers to answer customer questions.

"Target's drips-and-dregs method of slow-walking consumer notification of the extent of its breach has not served it well in the court of public opinion," said Ed Mierz­winski of the Federation of State Public Interest Research Groups. "Did it comply with existing state breach notification laws? We'll wait to see what state attorneys general say. Further, Target should be offering more to its customers to restore their good faith than a paltry credit monitoring service."

The retailers' group, which includes Minnesota-based Target and Best Buy among its members, also called for federal legislation to set a "baseline" for notifying authorities about security breaches, as well as a law setting out ways the private and public sectors must share cybersecurity information.

The Target breach has led to a stream of lawsuits for Minnesota's third-largest company. The company greeted the RILA proposals enthusiastically Monday.

"Target was pleased to be able to help launch the Cybersecurity and Data Privacy Initiative that will be focused on informing public dialogue and enhancing practices related to cybersecurity, improved payment security and consumer privacy," a spokeswoman said. "We look forward to being an active leader in this effort."

RILA's plan supports the country's migration to EMV smart card chip technology, but wants PINs to be required on all transactions, both debit and credit, and to quickly and completely retire the magnetic stripes on U.S. cards that make them vulnerable to cloning.

The banking and credit card industries have resisted efforts at upgrading technology, the group noted.

On its website, RILA said "cyberattacks on retailers are aimed at sensitive consumer financial data. … The number of those potentially affected in a successful attack is staggeringly high. Such a breach can affect consumers' faith in the system and can damage the relationship that all retailers seek to build with their ­customers."

The congressional hearing with Target's CFO can be seen here on C-SPAN.

jim.spencer@startribune.com • 202-383-6123 jennifer.bjorhus@startribune.com • 612-673-4683