WASHINGTON – A top executive of Target told a Senate committee Tuesday that the company has stepped up its efforts to improve its credit card system following a massive data breach last year.
Target Chief Financial Officer John Mulligan told the Senate Judiciary Committee the data breach affected customers who shopped at the company’s U.S. stores from Nov. 27 through Dec. 18.
Target announced on Dec. 19 that it had been a victim of one of the biggest credit card breaches on record.
Mulligan confirmed that the theft included customers’ names, credit and debit card information, debit-card personal identification numbers and the embedded codes on the card magnetic strips. An estimated 40 million credit and debit card accounts were affected by the breach.
Also stolen was personal data – names, phone numbers, mailing and email addresses – for up to 70 million customers who shopped at the store during the same period.
Mulligan said the retailer started an internal investigation of the breach on Dec. 13 after being notified by the Justice Department about suspicious activity involving payment cards used at Target stores. Two days after beginning its investigation, Target confirmed that criminals had infiltrated its system through the use of malicious software. That same day, it removed the malware from all registers in its U.S. stores.
Still unknown is how the malware that was used to carry out the theft got into Target’s computer system, and how the hackers stole credentials from a Target vendor to enter the system. The identity of the vendor is also still unknown.
“We are working closely with the U.S. Secret Service and the U.S. Department of Justice on the investigation – to help bring to justice the criminals who perpetrated this wide-scale attack on Target,” Mulligan said.
Neiman Marcus also suffered breaches in a similar attack last year. The company disclosed in January that about 1.1 million customer payment cards may have been exposed during a data breach that occurred from July 16 to Oct. 30 last year.
“The maximum number of account numbers in our stores at that time when they were exposed to the malware was 1.1 million accounts,” Neiman Marcus Chief Information Officer Michael Kingston told the panel. “But we do believe, because the malware was only operating at certain times, that the number is less than that.”
Current credit cards in the U.S. use fraud-prone magnetic stripe technology from the 1960s to store information.
The companies and government officials suggested an expedited move to a new type of payment card technology known as “chip and PIN.”
This technology adds a smart microchip to the payment card and requires customers to use a PIN – instead of a signature – to complete a transaction.
The chip-and-PIN system is widely used in Canada and Europe. But U.S. retailers and credit card companies have been reluctant to spend the billions of dollars required to create an entirely new payment system.
Mulligan said Target plans to implement chip-and-PIN technology in its own credit cards by early 2015.
“You can come up with devices that will secure credit card data but it doesn’t alleviate the fact that we’re still talking about criminals that are doing it,” said William Noonan, a top agent with the Secret Service’s cyber operations branch. “These criminals are motivated by money. They’re going to use whatever they have at their disposal to still go after the pot of gold, which is held in the payment card systems piece.”