Deanna Dewberry, NBC 5 News
Executives from Target and Dallas-based Neiman Marcus were on Capitol Hill Tuesday to answer lawmakers' questions about recent data security breaches that affected thousands of customers.
An executive of Target Corp. said Tuesday the retailer has taken actions to shore up security following the massive breach of millions of consumers' data during the holiday season.
But senators examining the issue at a hearing said even the most robust security systems can be vulnerable to cyberattack, and only the adoption by banks and retailers of more advanced technology for payment cards and processing systems will reduce fraud.
The Senate Judiciary Committee testimony by John Mulligan, executive vice president and chief financial officer at the No. 2 U.S. discounter, also revealed that Target discovered an additional 25 cash registers infected by malicious software on Dec. 18. The company had said earlier that it had removed all the malware from its system by Dec. 15.
Mulligan's testimony was the first public appearance by a Target executive addressing the issue since the breach that occurred between Nov. 27 and mid-December. An estimated 40 million credit and debit card accounts were affected.
Among the actions the Minneapolis-based company has taken, he said, is a thorough review of its payment network with an eye to improving security, and issuing new credit or debit cards to customers requesting them.
Mulligan said Target is "deeply sorry" for the effect of the data theft on consumers, and he acknowledged that their confidence in the company has been shaken.
Sen. Patrick Leahy, D-Vt., the panel's chairman, said the erosion of consumers' confidence -- with data breaches on the rise affecting retailers, Internet companies and others -- could hinder the U.S. economy's recovery.
The recent data hackings at Target, luxury retailer Neiman Marcus and arts-and-crafts chain Michaels Stores "compromised the privacy and security of millions of consumers," Leahy said.
Senators pressed Mulligan and Michael Kingston, senior vice president and chief information officer at Neiman Marcus Group Inc., about how quickly they notified customers of the breaches.
Mulligan said Target executives were told on Dec. 12 by the Justice Department of suspicious activity involving payment cards. The company started an investigation, removed malware and publicly announced the data theft on Dec. 19.
A processing firm told Neiman Marcus of a problem on Dec. 13, and the company's investigators made a report on Jan. 2, Kingston said. Customers were notified on Jan. 10. In mid-January, the investigators concluded that the malware plucking data from customer payment cards had been operating between July 16 and Oct. 30, Kingston testified.
An estimated 1.1 million accounts were affected.
Legislation authored by Leahy would establish a national standard for companies to follow in notifying consumers after a data breach.
Federal Trade Commission Chairwoman Edith Ramirez endorsed the proposal at the hearing, saying a federal law would help consumers mitigate potential harm from abuse of their personal data.
To prevent attacks, the banking and retailing industries have to adopt more secure technologies, members of the Judiciary panel said. The banks plan to put digital chips for storing account information on debit and credit cards by the fall of 2015. Compared with the current magnetic strips, it's a system that typically makes data theft harder and is common in other countries.
What is needed, senators said, are both digital chips and a personal identification number (PIN) for each debit or credit card transaction, instead of a signature. Experts say it's harder for criminals to steal personal identification numbers than to forge signatures.
"What is stopping us from moving to this kind of technology?" asked Sen. Amy Klobuchar, D-Minn. "What's stopping our country when they're doing this in Europe?"
Mulligan said Target favors a switch to chips and PINs for payment cards, and is willing to spend money to install systems for processing them, but the banking industry hasn't embraced such a move. "All of us need to move together simultaneously. It's a shared responsibility."
Sen. Richard Blumenthal, D-Conn., said the retail and banking industries "have a lot of soul-searching to do about whether they've been protective of consumer information." Stiffer federal penalties for retailers to encourage them to strengthen their data security are needed, he said.