News Column

Target executive briefs Senate panel on data breach, security plans

February 5, 2014

By Nick Woltman, Pioneer Press, St. Paul, Minn.

Feb. 05 --Target's chief financial officer told a U.S. Senate panel Tuesday that the company was "deeply sorry" for the recent mass theft of customer data from its computer network and has invested $100 million to beef up the security of its payment systems to prevent future breaches. In addition to describing an "end-to-end review" of its network, Target CFO John Mulligan testified before the Senate Judiciary Committee in Washington that the company is fast-tracking upgrades to its cash register terminals and REDcard-branded credit and debit cards to outfit them with so-called chip-and-PIN technology -- considered more secure than the ubiquitous magnetic stripe payment card. The Senate committee and others in Washington are investigating the breach at Target that compromised the payment accounts of some 40 million customers over the holiday shopping season. Large breaches at other retailers were subsequently reported. Also testifying Tuesday were other retail executives, data security experts and members of the Secret Service and other federal agencies that are investigating. Mulligan said Minneapolis -based Target expects all of its roughly 1,800 U.S. stores to be outfitted with the new payment terminals by the end of this year and its REDcards to be replaced with chip-and-PIN cards by early 2015 -- more than six months earlier than originally planned. Mulligan said the technology is already installed in about 300 Target stores. Chip-and-PIN cards have an embedded physical microchip, instead of the familiar magnetic stripe, and require the consumer to enter a personal identification number (PIN) at the point of sale. Mulligan's testimony also revealed that Target discovered an additional 25 point-of-sale terminals infected by malicious software on Dec. 18 . The company earlier had said that it had removed all the malware from its system by Dec. 15 . The recent data hackings at Target, luxury retailer Neiman Marcus and arts-and-crafts chain Michaels Stores "compromised the privacy and security of millions of consumers," said Sen. Patrick Leahy , D- Vt ., the panel's chairman. Senators pressed Mulligan and Michael Kingston , senior vice president and chief information officer at Neiman Marcus Group , about how quickly they notified customers of the breaches. Mulligan said the company was first notified by the Justice Department of "suspicious activity involving payment cards used at Target stores" on Dec. 12 . Over the following three days, an internal investigation determined that hackers had installed malware on the point-of-sale devices, potentially compromising customer information, at which point the company began removing the malware. The company did not make any public statements about the breach until Dec. 19 , when it announced that the accounts, including those of non-Target cards, had been compromised. By then, the information had been leaked and widely reported and consumers were seeing fraudulent charges appearing on their accounts. Target said the breach was ongoing from before Thanksgiving through Dec. 15 -- the height of the holiday shopping season. Then, last month, Target said personal information from up to 70 million customers also had been compromised. Since then, banks and credit card companies have been replacing the accounts of people who made Target purchases. Target has said no fraud has been detected on its REDcard accounts. Mulligan's testimony was the first public appearance by a Target executive addressing the breach. Target CEO Gregg Steinhafel discussed the breach last month in an interview on CNBC. Kingston, from Neiman Marcus , said a processing firm told the department store chain of a problem Dec. 13 , and the company's investigators made a report on Jan. 2 . Customers were notified Jan. 10 . The malware causing the breach appeared to have been operating in many Neiman Marcus stories between July and October, Kingston testified. Also testifying were Fran Rosch , a vice president at cyber-security firm Symantec , and Delara Derakhshani , policy counsel for the Consumers Union . A later panel included federal law enforcement officials. Senators questioned Rosch and Derakhshani on whether a federally mandated data security standard would be effective in thwarting cyber criminals, noting that the criminals' tactics are constantly evolving. "The key word here is flexibility," Rosch said. "I think what we have to recognize is that this is kind of an ongoing war. The types of threats are changing all the time." One security measure that committee members and witnesses largely agreed upon was the chip-and-PIN payment card technology, which has been commonly used in Europe for years. Minnesota Sens. Amy Klobuchar and Al Franken , both of whom serve on the Judiciary Committee, asked why U.S. banks and merchants have been slow to adopt chip-and-PIN payment cards. "We think the answer comes down to money," Derakhshani said. "It's expensive to update the technology at the point of sale, it's expensive to reissue cards." Mulligan pointed out that without widespread adoption of the new technology by all retailers, banks and credit card issuers, shoppers will still be vulnerable. "We need to move together collectively so the whole system is employing chip-and-PIN technology." Senators were also interested in the potential effectiveness of federally mandated consumer notification requirement for all companies that collect consumer data -- banks are already required to notify their customers in the event of a data breach, but merchants are not. Sen. Dianne Feinstein , D- Calif. , is co-sponsoring legislation that would establish such a requirement; she noted that there has been resistance to it among retailers. "I believe that if someone has an account, or uses their credit (card), at your institution and their data is breached, they should be notified so they can protect themselves," Feinstein said. ___ Associated Press contributed to this story. Nick Woltman can be reached at 651-228-5189; follow him on Twitter at @nickwoltman. ___ (c)2014 Pioneer Press (St. Paul, Minn.) Visit the Pioneer Press (St. Paul, Minn.) at www.twincities.com Distributed by MCT Information Services


For more stories on investments and markets, please see HispanicBusiness' Finance Channel



Source: Saint Paul Pioneer Press (MN)


Story Tools