By Todd Shields and Renee Dudley
Feb. 4 (Bloomberg) – Target Corp. apologized to U.S. lawmakers for a data breach that exposed tens of millions of consumers’ data and said security will be improved by chip-enabled cards the retailer will provide to customers.
“I want to reiterate how sorry we are that this has happened,” John Mulligan, chief financial officer of the second-largest U.S. discount retailer, told the Senate Judiciary Committee today.
Officers of Target and closely held Neiman Marcus Group Ltd., which also suffered a hacker attack that exposed personal data of customers, testified in a second day of congressional hearings as lawmakers called for a national data-breach notification requirement and wider authority for the Federal Trade Commission to enforce such rules.
In December, Minneapolis-based Target said credit- and debit-card data for as many as 40 million people who shopped in its stores between Nov. 27 and Dec. 15 may have been compromised. Mulligan today said the breach lasted three days longer, to Dec. 18.
He said Target is accelerating investment in chip cards, which he called “critical to providing enhanced protection for customers.”
Michael Kingston, chief information officer for Neiman Marcus, which had about 1.1 million payment cards that may have been affected by a similar breach, told lawmakers that government can help by letting law enforcement share threat information with companies.
Target took immediate action to disable malware on registers once it was discovered. Last month, Target said the names, phone numbers and home and e-mail addresses of as many 70 million people also were compromised.
Senator Patrick Leahy, a Vermont Democrat and chairman of the Judiciary Committee, today said he hoped for quick action on U.S. legislation. He has introduced a bill containing notification requirements.
“Time is of the essence,” Leahy said. “American consumers deserve to know when their private information has been compromised.”
Edith Ramirez, chairwoman of the trade commission, called for a federal breach-notification requirement to replace state laws.
“Never has the need for legislation been greater,” Ramirez said. “With reports of data breaches on the rise, and with a significant number of Americans suffering from identify theft, Congress needs to act.”
At stake is about $40 billion of revenue earned by card issuers including JPMorgan Chase & Co., as well as the profits of Target and other retailers affected by the breaches. More than $3 trillion in U.S. customer transactions take place each year through the point-of-sale systems infiltrated by the hackers, according to David Robertson, publisher of the Nilson Report, an industry newsletter based in Carpinteria, California.
Federal law requires financial institutions to notify customers of data breaches. Retailers must follow varying laws in 46 states.
In addition to Target and Neiman Marcus, other retailers, such as Michaels Stores Inc., the world’s largest arts-and-crafts retailer, have said recently that some of their customer payment-card data may have been used fraudulently.