Target is investing $100 million to upgrade to a more advanced credit card system following the massive hack of customer data, its chief financial officer told U.S. Senators Tuesday.
Testifying before the Senate Judiciary Committee, Target (TGT) CFO John Mulligan gave a more detailed account of the holiday season hack that has exposed personal or financial data of nearly a third of U.S. adults.
The event has put pressure on Target to accelerate implementation of advanced chip-based credit card technology that is considered safer than the magnetic stripes common in the United States. Mulligan said Target will update its system by early next year.
"This attack has only strengthened our resolve. We will learn from this incident," Mulligan said.
Mulligan told senators it was the Justice Department that first notified the company of the data breach on Dec. 12. Three days later, Target was able to confirm hackers had slipped malware into their point-of-sale network, affecting all card terminals in U.S. stores. Cybersecurity blogger Brian Krebs broke news of the hack on Dec. 18, and Target notified customers the next day.
Related story: Tips for all Target customers
Mulligan reiterated that hackers stole a vendor's credentials and made off with two batches of data: Information found on 40 million debit and credit cards swiped during the holiday shopping season, plus personal data kept by Target on up to 70 million customers.
All this happened despite Target's firewalls, malware detection software and data-loss prevention tools.
"I want to say how deeply sorry we are for the impact this has had on our guests," he said, explaining that retailers are facing "increasingly sophisticated threats" that outmatch current protections.
Also testifying Tuesday was Neiman Marcus chief information officer Michael Kingston, who said hackers installed malware on the company's network and stole payment card data for 1.1 million customers from July until October at 77 of its 85 U.S. stores.
Despite regular scanning for malicious activity, no one knew anything was afoul until Dec. 17, when the retailer's merchant processor called the retailer. MasterCard had discovered fraud on 122 cards that had been previously swiped at Neiman Marcus.
A private forensic team found the malware on Jan. 2, but it took another four days for them to understand what it was doing. Neiman Marcus said it immediately notified customers individually, but didn't make a public announcement for another two weeks.
There appeared to be bipartisan interest at the hearing to establish federal security standards protecting consumer data and laws forcing companies to notify consumers in a timely fashion when their data has been breached by hackers. Executives and security experts agreed that upgrading the nation's card system is a major step forward.
That requires a major investment by the retail and finance industries. Stores need to install new hardware to accept so-called chip-and-PIN cards, and banks need to issue these more expensive models.
Target's Mulligan said success depends on all sides -- retailers, banks, merchant processors and others -- moving forward together.
Illinois Senator Dick Durbin, a Democrat, noted that his amendment to the Dodd-Frank banking reform act already charges merchants a one-cent fraud prevention fee on transactions that should help push that along.
"It isn't as if we aren't paying already to move this technology forward," Durbin said.
Related story: Target hack is a privacy wake-up call
California Senator Dianne Feinstein, also a Democrat, noted that public notification of major data breaches is currently "vague (and) nonspecific," and firms can often get away without making disclosures.
"People deserve to know their data was hacked," she said.
While most senators in the committee agreed that security standards protecting consumer information should be put into place, Fran Rosch, an executive at cybersecurity provider Symantec (SYMC) , warned against federal overreaching. He said rules protecting computer networks and payment systems could be helpful if they serve as minimum standards, but not if they restrict a company from adopting more advanced techniques.
"This is an ongoing war, and the types of threats are changing all the time," Rosch said. "Whatever gets developed needs to allow for improvements, not holding down advancement."