WASHINGTON – A top executive of Target told a Senate committee Tuesday that the company has stepped up its efforts to improve its credit card system following a massive data breach last year.
Target Chief Financial Officer John Mulligan told the Senate Judiciary Committee the data breach affected customers who shopped at the company’s U.S. stores from Nov. 27 through Dec. 18.
Target announced on Dec. 19 that it had been a victim of one of the biggest credit card breaches on record.
Mulligan confirmed that the theft included customers’ names, credit and debit card information, debit-card personal identification numbers and the embedded codes on the card magnetic strips. An estimated 40 million credit and debit card accounts were affected by the breach.
Also stolen was personal data – names, phone numbers, mailing and email addresses – for up to 70 million customers who shopped at the store during the same period.
Mulligan said the retailer started an internal investigation of the breach on Dec. 13 after being notified by the Justice Department about suspicious activity involving payment cards used at Target stores. Two days after beginning its investigation, Target confirmed that criminals had infiltrated its system through the use of malicious software. That same day, it removed the malware from all registers in its U.S. stores.
Still unknown is how the malware that was used to carry out the theft got into Target’s computer system, and how the hackers stole credentials from a Target vendor to enter the system. The identity of the vendor is also still unknown.
“We are working closely with the U.S. Secret Service and the U.S. Department of Justice on the investigation – to help bring to justice the criminals who perpetrated this wide-scale attack on Target,” Mulligan said.
Neiman Marcus also suffered breaches in a similar attack last year. The company disclosed in January that about 1.1 million customer payment cards may have been exposed during a data breach that occurred from July 16 to Oct. 30 last year.
“The maximum number of account numbers in our stores at that time when they were exposed to the malware was 1.1 million accounts,” Neiman Marcus Chief Information Officer Michael Kingston told the panel. “But we do believe, because the malware was only operating at certain times, that the number is less than that.”
Current credit cards in the U.S. use fraud-prone magnetic stripe technology from the 1960s to store information.
The companies and government officials suggested an expedited move to a new type of payment card technology known as “chip and PIN.”
This technology adds a smart microchip to the payment card and requires customers to use a PIN – instead of a signature – to complete a transaction.
The chip-and-PIN system is widely used in Canada and Europe. But U.S. retailers and credit card companies have been reluctant to spend the billions of dollars required to create an entirely new payment system.
Mulligan said Target plans to implement chip-and-PIN technology in its own credit cards by early 2015.
“You can come up with devices that will secure credit card data but it doesn’t alleviate the fact that we’re still talking about criminals that are doing it,” said William Noonan, a top agent with the Secret Service’s cyber operations branch. “These criminals are motivated by money. They’re going to use whatever they have at their disposal to still go after the pot of gold, which is held in the payment card systems piece.”
A chip-based system would add a much-needed layer of security, but the technology would not eliminate the incentive for criminals to continue targeting card data, Noonan said.
Noonan said the Secret Service has arrested nearly 5,000 cyber criminals responsible for more than $1 billion in fraud losses in the past four years.
Fran Rosch, an executive at security firm Symantec, said that chip-and-PIN technology would make it harder for hackers to steal the data because the information on the card stays encrypted longer.
He said the technology also makes it more difficult for hackers to duplicate stolen cards and adds a “two-factor authentication” – a layer of security that combines something you have, in this case the credit card, with something you know, the PIN.
Senators questioned the notification procedures and whether federal law enforcement agencies are doing enough to go after these criminals.
“Am I right in thinking that the U.S. is behind the rest of the world in its data-security safeguards?” Sen. Richard Blumenthal (D-Conn.) asked.
Sen. Dianne Feinstein (D-Calif.) said she has been tracking data breaches for about 13 years and has been frustrated by how unwilling companies have been to come forward. Feinstein, who recently introduced a bill that would force companies to notify customers about data breaches, noted that public notification of data breaches is “vague” and firms can often get away without making disclosures.
“People deserve to know their data was hacked,” she said.
Mythili Raman, acting assistant attorney general in the criminal division of the Justice Department, called for federal standards requiring certain types of businesses to report data breaches.
“Businesses should be required to provide prompt notice to consumers in the wake of a breach and to notify the federal government of breaches so that law enforcement can pursue and catch the perpetrators,” Raman said.
She said the Justice Department supports changes to the Computer Fraud and Abuse Act along the same lines of those proposed by the Obama administration in 2011.
There appeared to be bipartisan interest from the lawmakers at the hearing to establish federal security standards protecting consumer data and laws requiring companies to notify consumers promptly after a data breach.
“Standards are helpful,” Kingston said. “But as soon as we establish standards, the whole world knows about it…and can come up with ways to defeat those standards.”
Rosch similarly warned standards are helpful but only if they do not compromise companies’ flexibility to adapt to emerging threats.
“This is an ongoing war, and the types of threats are changing all the time,” Rosch said. “Whatever gets developed needs to allow for improvements, not holding down advancement.”