John Mulligan, Target Executive Vice President and Chief Financial Officer, started off his testimony to the Senate Judiciary Committee apologizing for the data breach that has exposed 110 million Target customers’ personal and financial information.
“We know this breach has shaken their confidence in Target, and we are determined to work very hard to earn it back,” Mulligan explained to the panel, which was conducting a hearing on the prevention of data breaches and cybercrime. The data breaches of Target and Neiman Marcus were the primary focus of the hearing.
The Justice Department alerted the retail giant on the evening of Dec. 12 that strange activity was taking place with the payment cards used at Target stores. Secret Service and Justice Department officials met with company representatives the next day and independent team of specialists were hired to conduct an investigation on Dec. 14.
On Dec. 15, the team confirmed its previous suspicions that “criminals had infiltrated our system, had installed malware on our point-of-sale network and had potentially stolen guest payment card data,” Mulligan alleged.
He also added that the company disabled an additional 25 registers on Dec. 18 and notified the public within a week of the malicious malware’s discovery.
“We have been moving as quickly as possible to share accurate and actionable information with the public,” Mulligan said, along with the admission of how the company was unaware of its infiltrated systems before the Justice Department intervened.
“We have an ongoing forensic investigation and an end-to-end review of our entire system,” Mulligan said.
The data breach that affected an estimated 40 million Target credit and debit card accounts late last year was responsible for the compromise of not only customers’ credit and debit card numbers, expiration dates, PIN numbers and codes on the cards’ magnetic strips, but also non-card personal information such as names, phone numbers and mailing addresses.
Despite thorough investigations by the Secret Service and the Justice Department, many details regarding the malicious software and the cybercrime perpetrators are still largely unknown. A criminal probe is currently underway by the Justice Department.
The Judiciary panel was told by Michael Kingston, Neiman Marcus Senior Vice President, that the company first became aware of its security incident from its credit processor, Mastercard, on Dec. 17. Mastercard explained that the retailer had 122 fraudulently used credit cards that had last been used at a Neiman Marcus store.
The accounts of 1.1 million customers were confirmed by a forensic team to have been affected during the Neiman Marcus data breach, Kingston said.
Sen. Dianne Feinstein, D-Calif., claimed to have never received notification of the Neiman Marcus breach despite being a shopper during the time that the malware was stealing data.
On Jan. 22, Neiman Marcus notified all of its online and in-store customers, according to Kingston.
Customer notification should be required by law, Feinstein said.
“The public notification is always vague, it is non-specific,” Feinstein said. “Then the customer finds out in other ways, sometimes brutal ways,” that their personal information has been taken, she said.
The policy and action division of Customer Reports, Consumer Union, has concerns about the vulnerabilities in debit cards, which have far fewer legal protections than that of credit cards, according to Delara Derakhshani.
“While consumers might not ultimately be held responsible if someone steals their debit card and pin number, data thieves can still empty out consumers’ bank accounts and set off a cascade of bounced checks and late fees, which victims will have to settle down the road,” Derakhshani said. “The burden is being put on consumers to be vigilant to prevent future fraudulent use of their information.”
Despite efforts by Target, Neiman Market and other retailers to make amends by offering a year of free credit monitoring to compromised consumers, services such as those have their drawbacks as well, Derakhshani added. A mandatory arbitration agreement is placed in many of the contracts to prevent consumers from a court date if disputes occur.
By the fall of 2015, banks are planning to put digital chips for storing account information on debit and credit cards. This method would make data theft more difficult and is common in many other countries. However, the banks warn that despite this being a step forward in the prevention of cybercrime, it could not guarantee safety against cyber-attacks.
By using the same information as cassette tapes to store data, the magnetic strips on credit and debit cards are easily copied, while a digital chip generates a unique code each time it’s used. Although criminals could steal and sell data from the digital chips, they could not create fraudulent cards.