WASHINGTON – A top Target Corp. executive said Tuesday that a desire to provide accurate information led the retailer to wait several days before telling the public about a data breach that affected up to 110 million customers.
Appearing on Capitol Hill to explain one of the biggest heists of computerized data in American history, chief financial officer John Mulligan described a hectic week between Dec. 12, when Target first heard that its computer system may have been hacked, and the time it told customers about the crime.
The Minneapolis-based company first took three days to confirm the presence of malware, then removed it from "virtually all registers in our U.S. stores," Mulligan said. Then Target told payment processors and card networks about the trouble, fixed 25 more registers and prepared its employees for the onslaught of inquiries it expected when it let shoppers know of the breach.
Finally, on Dec. 19, seven days after hearing from the U.S. Justice Department about "suspicious activity involving payment cards," Target announced the data breach publicly.
"Our view is there's a need for a balance to be struck," Mulligan told members of the Senate Judiciary Committee. Customers had to be told, Mulligan said, but they also deserved accurate information as they tried to protect themselves.
Some consumer advocates have suggested that Target could have moved faster to let customers know what happened.
Sen. Dianne Feinstein, D-Calif., stressed the need to reach customers individually in addition to making public announcements. "Public notification is vague," Feinstein said.
Target initially said the breach potentially exposed card information from 40 million people who bought something in one of the company's nearly 1,800 U.S. stores between Nov. 27 and Dec. 15. CEO Gregg Steinhafel told CNBC he learned of the breach on Dec. 15.