A Target executive warned Congress that credit card breaches, such as the one that affected up to 110 million of its customers, are going to become very common and there may be little retailers can do to shield shoppers for now.
“The unfortunate reality is that we suffered a breach, and all businesses – and their customers — are facing increasingly sophisticated threats from cyber criminals,” Target chief financial officer John J. Mulligan told lawmakers at a hearing. “In fact, recent news reports have indicated that several other companies have been subjected to similar attacks.”
A Neiman Marcus executive chimed in at the hearing, saying its anti-virus software was virtually useless. It didn’t detect when its credit card systems were being hacked. As a result, the company did not learn of the intrusion until the beginning of January, even though the attacks occurred between July and October, said senior vice president Michael Kingston.
The testimonies affirmed what many security experts have long warned: There is no end in sight for the recent spate of cyberattacks.
Real change would require all the actors in the payment card system—merchants, banks the issue credit cards and the card networks — to work together to replace the plastic in our wallets with something more sophisticated, such as a card with a computer chip.
“Updating payment card technology and strengthening protections for American consumers is a shared responsibility and requires a collective and coordinated response,” Mulligan said.
Tuesday’s hearing marks the first time Target has publicly answered questions since revealing the data breach in December. At that time, the company said hackers had lifted 40 million debit and credit card numbers from its customers. It later said that hackers also grabbed personal information, including names, home addresses and telephone numbers, of up to an additional 70 million Target customers in that attack.
Investigations into the cyberattack are still unfolding, but Target confirmed last week that its probe found that the hacker stole a vendor’s credentials to access its system. The Secret Service has been working with the company on the investigation, and Attorney General Holder vowed last week to find the perpetrators of the attack.
Weeks after Target revealed its data intrusion, luxury retailer Neiman Marcus said 1.1 million of its customers had also been affected by a three-month data breach. The cyberattack has resulted in 2,400 cars from customers being used in fraudulent transactions so far.
Mulligan said the company was “deeply sorry” for the inconvenience the breach may have caused consumers. He acknowledged that the nation’s second largest retailer will have to work “very hard” to earn back the public’s confidence.
Mulligan also laid out a timeline of the breach:
Evening of December 12, Target was notified by the Justice Department of suspicious activity involving payment cards used at its stores. Target begins internal investigation.
December 13, Target met with the Justice Department and the Secret Service.
December 14, Target hired an independent team of experts to lead a forensic investigation.
December 15, Target confirmed the attack and removed the malware from “virtually all registers” in its U.S. stores.
Over the next two days, the company began notifying the payment processors and card networks.
December 18, Target disabled malware on about 25 additional registers.
December 19, Target announces the breach publicly.