Advertisement

Target details data theft in front of Senate panel

Company accelerates its plans to change to chip-enabled smart card

February 7, 2014 at 2:40AM

WASHINGTON – A top Target Corp. executive said Tuesday that a desire to provide accurate information led the retailer to wait several days before telling the public about a data breach that affected up to 110 million customers.

Appearing on Capitol Hill to explain one of the biggest heists of computerized data in American history, chief financial officer John Mulligan described a hectic week between Dec. 12, when Target first heard that its computer system may have been hacked, and the time it told customers about the crime.

The Minneapolis-based company first took three days to confirm the presence of malware, then removed it from "virtually all registers in our U.S. stores," Mulligan said. Then Target told payment processors and card networks about the trouble, fixed 25 more registers and prepared its employees for the onslaught of inquiries it expected when it let shoppers know of the breach.

Finally, on Dec. 19, seven days after hearing from the U.S. Justice Department about "suspicious activity involving payment cards," Target announced the data breach publicly.

"Our view is there's a need for a balance to be struck," Mulligan told members of the Senate Judiciary Committee. Customers had to be told, Mulligan said, but they also deserved accurate information as they tried to protect themselves.

Some consumer advocates have suggested that Target could have moved faster to let customers know what happened.

Sen. Dianne Feinstein, D-Calif., stressed the need to reach customers individually in addition to making public announcements. "Public notification is vague," Feinstein said.

Target initially said the breach potentially exposed card information from 40 million people who bought something in one of the company's nearly 1,800 U.S. stores between Nov. 27 and Dec. 15. CEO Gregg Steinhafel told CNBC he learned of the breach on Dec. 15.

Advertisement
Advertisement

In early January, the company said personal information such as addresses and phone numbers for as many as 70 million customers may also have been compromised.

Mulligan's testimony and the testimony of six others revealed a broad national vulnerability to cyberthieves that has to be addressed legislatively, said Minnesota Sens. Amy Klobuchar and Al Franken, both members of the Judiciary Committee.

"When we push cyberbills, we get push back [from industry and technology groups]," Klobuchar said. "We have learned from this data breach that we can no longer do nothing."

Franken called cyberattacks "systemic" at a time when the federal government imposes no cybersecurity standards or cybertheft reporting requirements.

"We have to update our card technology," Franken said.

Franken asked Mulligan about published reports that Target's cybersecurity system was "astonishingly" weak.

Advertisement

Mulligan disagreed, telling Franken that the company has spent "hundreds of millions of dollars" on a multilayered consumer protection protocol.

Still, Target had no idea its computers had been hacked until the Justice Department called, Mulligan acknowledged. He promised an "end-to-end review" and "security enhancements."

Chip technology coming

Among them is a plan to spend $100 million upgrading anti-theft technology used in the company's proprietary credit and discount cards called Redcards.

The technology involves computer chips and personal identification numbers now in use in Europe; the plan also includes updating card readers in 1,800 Target stores and it should be ready by early 2015, the company said in a release Tuesday.

Mulligan further reported that to date, Target has seen no fraud activity on its proprietary credit and discount cards due to the breach and "a very low amount of additional fraud on our Target Visa card."

Mulligan will be back on Capitol Hill on Wednesday to appear before a subcommittee of the House Energy and Commerce Committee.

Advertisement
Advertisement

Neiman Marcus woes

Target was not the only company questioned at the Senate hearing. The chief information officer of upscale clothier Neiman Marcus explained a cyberattack on his company's computers similar to the one Target suffered. He said the malware infecting Neiman Marcus computers had a "zero detectabilty rate" using standard computer protection programs. That breach affected 1.1 million customers.

"The pace of attacks is increasing," said Fran Rosch, an executive with Symantec, a maker of computer security software. There is a need for information to be "continuously encrypted."

Everyone is vulnerable

That might have helped Target avoid its current crisis.

"We now know that the intruder stole a vendor's credentials to access our system and place malware at point-of-sale registers," Mulligan said in his testimony. "The malware was designed to capture payment card data from the magnetic strip of credit and debit cards prior to encryption within our system."

But the company later found that the malware also had captured "strongly encrypted" information that employed personal identification numbers.

Sen. Sheldon Whitehouse, D-R.I., said that when a company as large as Target "can be hacked without knowing it, it is not to say that Target did something wrong," but that everyone is vulnerable.

Advertisement
Advertisement

Klobuchar agreed, saying, "This can happen to anyone."

Executives including, from left: John Mulligan of Target, Michael Kingston of Neiman Marcus, Delara Derakhshani of the Consumers Union and Fran Rosch of Symantec take the oath before the Senate Judiciary Committee on Capital Hill in Washington, Jan. 4, 2014. The hearing focused on preventing data breaches and cybercrime and comes amid reports of consumers using more cash instead of plastic in the wake of credit card data security breaches.(Stephen Crowley/The New York Times)
Taking the oath at the start of Tuesday’s Senate Judiciary Committee hearing are, from left, Target chief financial officer John Mulligan, Michael Kingston of Neiman Marcus, Delara Derakhshani from the Consumers Union and Symantec’s Fran Rosch. (The Minnesota Star Tribune)
FILE - In this Jan. 18, 2008 file photo, a customer signs his credit card receipt at a Target store in Tallahassee, Fla.
FILE - In this Jan. 18, 2008 file photo, a customer signs his credit card receipt at a Target store in Tallahassee, Fla. (AP Photo/Phil Coale/The Minnesota Star Tribune)
John J. Mulligan, executive Vice President and Chief Financial Office of the Target Corporation, listens on Capitol Hill in Washington, Tuesday, Feb. 4, 2014, while testifying before the Senate Judiciary Committee hearing on data breaches and combating cybercrime .
John J. Mulligan, executive Vice President and Chief Financial Office of the Target Corporation, listens on Capitol Hill in Washington, Tuesday, Feb. 4, 2014, while testifying before the Senate Judiciary Committee hearing on data breaches and combating cybercrime . (Associated Press/The Minnesota Star Tribune)
Advertisement
about the writer

about the writer

Jim Spencer

Washington Correspondent

Washington correspondent Jim Spencer examines the impact of federal politics and policy on Minnesota businesses, especially the medical technology, food distribution, farming, manufacturing, retail and health insurance industries.  

See Moreicon

More from No Section (Assign Gallery and Videos here)

See More
Advertisement
Advertisement

To leave a comment, .

Advertisement