WASHINGTON (CBSNewYork/AP) — Executives with Target and Neiman Marcus were in Washington Tuesday testifying before the Senate Judiciary Committee about recent data breaches at their stores.
John Mulligan, executive vice president and chief financial officer at Target, said the retailer has taken actions to shore up security following the massive breach of millions of consumers’ data during the holiday season.
It was the first public appearance by a Target executive addressing the issue since the breach that occurred between Nov. 27 and Dec. 15. An estimated 40 million credit and debit card accounts were affected.
Mulligan said Target is “deeply sorry” for the effect of the data theft on consumers, and he acknowledged that their confidence in the company has been shaken.
Sen. Patrick Leahy, D-Vt., the panel’s chairman, said the erosion of consumers’ confidence, with data breaches on the rise affecting retailers, Internet companies and others, could hinder the U.S. economy’s recovery.
The recent data hackings at Target, luxury retailer Neiman Marcus and arts-and-crafts chain Michaels Stores “compromised the privacy and security of millions of consumers,” Leahy said.
Senators pressed Mulligan and Michael Kingston, senior vice president and chief information officer at Neiman Marcus Group Inc., about how quickly they notified customers of the breaches.
Mulligan said Target executives were told on Dec. 12 by the Justice Department of suspicious activity involving payment cards. The company started an investigation, removed malware and publicly announced the data theft on Dec. 19.
A processing firm told Neiman Marcus of a problem on Dec. 13, and the company’s investigators made a report on Jan. 2, Kingston said.
Customers were notified on Jan. 10. The malware causing the breach appeared to have been operating in many Neiman Marcus stories between July and October, Kingston testified.
An estimated 1.1 million accounts were affected.
Congress is working on new legislation that would strengthen security protections for consumers. But Monday, experts told lawmakers the problem is built into America’s financial infrastructure.
“Target was at fault, Neiman was at fault, but they’re not completely at fault,” said Ed Mierzwinski with the U.S. Public Interest Research Group. “They’re asked to accept cards that are inherently dangerous.”
Current debit and credit cards rely on decades-old magnetic strips which many want to replace with what’s called “chip and PIN” technology.
“Chip and PIN is the next technology in America, but banks have not even proposed that we go to the chip and PIN which has been in use in Europe for years,” Mierzwinski said.
Those cards store your data on an encrypted microchip that’s hard to copy and require a PIN instead of a signature. Experts say it’s harder for criminals to steal PINs than to forge signatures.
But banks have been reluctant to make the switch because of the billions it would cost to make the transition.
Connecticut Sen. Richard Blumenthal has co-authored the bill designed to protect consumers.
“A very small business would comply as well as the large because the burden would be on the credit card companies to use certain kinds of technology. The chips and PIN numbers, rather than magnetic strips,” Sen. Blumenthal told WCBS 880 Connecticut Bureau Chief Fran Schneidau. “These safeguards are absolutely necessary because retailers have failed to protect consumer information. We’re talking about not only credit card information but social security numbers and other vitally important sensitive financial information that puts consumers at risk when it’s stolen.”
The senator said under the enhanced protection, consumers themselves could bring action because they would be guaranteed insurance for protection in the event of any security breach.
Blumenthal said under his legislation, the Federal Trade Commission would be empowered to enforce the security upgrade.
Credit card companies, including American Express and Visa, say they have plans to introduce the more secure cards, but retailers also have to get on board and change out card readers.
Still unknown is how the malicious software that was used to carry out the theft got into Target’s computer system and how the hackers stole credentials from a Target vendor to enter the system. The identity of the vendor isn’t known, either.
The Secret Service has been investigating, and Attorney General Eric Holder has said the Justice Department is conducting a criminal probe to find those responsible.
Check Out These Other Stories From CBSNewYork.com:
- Woman Who Released Crickets, Worms On Subway Says It Was Social Experiment
- Boyfriend Charged With Murder In Death Of Missing Mount Vernon Mom: Police
- Suspect Wanted In Alleged Kidnapping Attempt Of Girl, 11, At Flushing Meadows Park
- NYPD: Man Arrested After Attacking Woman In Riverside Park
(TM and © Copyright 2014 CBS Radio Inc. and its relevant subsidiaries. CBS RADIO and EYE Logo TM and Copyright 2014 CBS Broadcasting Inc. Used under license. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed. The Associated Press contributed to this report.)