Target executive details massive data breach

Target executive details massive data breach

Credit: Joe Raedle, Getty Images, USA Today

A customer signs a credit card statement next to a scanner in a Target store on Dec. 19, 2013, in Miami, Fla.


by Donna Leinwand Leger / USA TODAY

USA Today

Posted on February 4, 2014 at 11:19 AM

Updated Tuesday, Feb 4 at 12:22 PM

WASHINGTON -- Target Executive Vice President and Chief Financial Officer John Mulligan began his testimony before the Senate Judiciary Committee with an apology for the data breach that exposed information involving 110 million Target customers.

"We know this breach has shaken their confidence in Target, and we are determined to work very hard to earn it back," Mulligan said.

Target learned of the data breach on the evening of Dec. 12 when the Justice Department notified the company of suspicious activity involving payment cards used at Target stores. Mulligan said company officials met with the Justice Department and Secret Service the next day. On Dec. 14, Target hired an independent team of experts to conduct a forensic investigation.

That team confirmed Dec. 15 that "criminals had infiltrated our system, had installed malware on our point-of-sale network and had potentially stolen guest payment card data," Mulligan said. The same day, the company removed the malware "from virtually all registers in our U.S. stores."

The company disabled malware on 25 additional registers on Dec. 18, he said. Within a week of discovery of the breach, the public was notified, he added.

"We have been moving as quickly as possible to share accurate and actionable information with the public," Mulligan said, adding that the company had no knowledge of malware in its system before the Justice Department notification.

"We have an ongoing forensic investigation and an end-to-end review of our entire system," Mulligan said.

An estimated 40 million Target credit and debit card accounts were breached late last year, compromising customers' credit and debit card numbers, expiration dates, PIN numbers and codes on the cards' magnetic strips. Also stolen was non-card personal information — names, phone numbers and email and mailing addresses — for up to 70 million Target customers who could have shopped before or after the Nov. 27-Dec. 15 period.

Still unknown is how the malicious software that was used to carry out the theft got into Target's computer system and how the hackers stole credentials from a Target vendor to enter the system. The identity of the vendor isn't known, either. The Secret Service has been investigating, and Attorney General Eric Holder has said the Justice Department is conducting a criminal probe to find those responsible.

Consumer Union, the policy and action division of Consumer Reports, is concerned about vulnerabilities in debit cards, which have fewer legal protections than credit cards, policy counsel Delara Derakhshani told the committee.

"While consumers might not ultimately be held responsible if someone steals their debit card and pin number, data thieves can still empty out consumers' bank accounts and set off a cascade of bounced checks and late fees, which victims will have to settle down the road," Derakhshani said. "The burden is being put on consumers to be vigilant to prevent future fraudulent use of their information."

Although Target, Neiman Market and other retailers have offered a year of free credit monitoring for customers whose accounts were breached, Derakhshani said such services have drawbacks. Many of the contracts with the credit monitoring services require consumers to agree to mandatory arbitration, giving up their right to go to court if disputes arise.

Retailers are trying to shore up consumers' confidence by upgrading and testing their systems for accepting payments. But their trade association says the billions that merchants are spending won't prevent breaches unless the banks adopt more secure card technology.

The banks plan to put digital chips for storing account information on debit and credit cards by the fall of 2015. Compared with the current magnetic strips, it's a system that typically makes data theft harder and is common in other countries. This would be a step forward but hardly a guarantee against cyber attacks, the banks caution.

The magnetic strips use the same technology as cassette tapes to store account information and are easy to copy. By contrast, a digital chip generates a unique code each time it's used. Criminals can steal and sell data from cards with chips, but they can't create fraudulent cards.