Target Corp., testifying before Congress about a data breach that affected millions of customers, told lawmakers it had clues about the attack weeks before responding and is exploring why it took so long to react.
Sometime after intruders entered Target’s systems on Nov. 12, their activities were detected and evaluated by security professionals, according to remarks Chief Financial Officer John Mulligan submitted to a U.S. Senate panel. The company was later alerted to suspicious activity by the U.S. Justice Department, leading to an internal investigation that confirmed a breach on Dec. 15.
“We are asking hard questions about whether we could have taken different actions before the breach was discovered that would’ve resulted in different outcomes,” Mulligan told the panel today. “In particular, we are focused on what information we had that could have alerted us to the breach earlier; whether we had the right personnel in the right positions; and ensuring that decisions related to operational and security matters were sound.”
The testimony follows a report by Bloomberg Businessweek that found Target ignored warnings from its hacker-detection tools, leading to a breach that compromised 40 million credit card numbers -- along with 70 million addresses, phone numbers and other pieces of personal information.
“We are still investigating how the intruders were able to move through the system using higher-level credentials to ultimately place malware on Target’s point-of-sale registers,” Mulligan said in written testimony submitted to the panel. “The malware appears to have been designed to capture payment card data from the magnetic strip of credit and debit cards prior to encryption within our system.”
The Senate Committee on Commerce, Science and Transportation, which prepared a report ahead of the hearing, found that Minneapolis-based Target appeared to have missed opportunities “to stop the attackers and prevent the massive data breach.”
Several senators on the panel criticized Target’s management for not reacting sooner to warnings from sophisticated anti-hacking systems.
“Here, to be quite blunt, there were multiple warnings,” said Senator Richard Blumenthal, a Democrat from Connecticut. “Maybe because of lack of training, perhaps simply a sense of confidence and complaisance. And that has created enormous cost.”
‘Fell Far Short’
Since Target collects detailed information on its customers, it needs to do everything possible to protect that data from identity thieves, said Senator Jay Rockefeller, a Democrat from West Virginia who serves as chairman of the committee. “It is now well known that Target fell far short of doing this.”
After the attack became public in December, during the height of the holiday shopping season, it harmed Target’s reputation and fourth-quarter sales. The company’s U.S. comparable-store sales decreased 2.5 percent in the period. Target spent $61 million responding to the situation last quarter, including costs to investigate the incident and offer identity-theft services to customers. Insurance covered $44 million of the tab, leaving the company with an expense of $17 million in the period.
The company is now searching for a new chief information officer following the departure of Beth Jacob, who resigned March 5 after holding the post since 2008. The new executive will help revamp Target’s information-security and compliance operations.
Target isn’t the only retailer to have had its systems attacked in the past year. Luxury department-store chain Neiman Marcus Group Ltd. said in January that about 1.1 million credit cards may have been compromised in a data breach. Days later, arts-and-crafts retailer Michaels Stores Inc. said some customer payment-card data may have been used fraudulently. Sears Holdings Corp. said last month that it was reviewing its systems to see whether it had been the victim of a breach.