Target Executive Apologizes for Cyberattack

Lawmakers seek legislative fix for growing problem

  • Share
  • Read Later
Andrew Harrer / Bloomberg / Getty Images

John Mulligan, executive vice president and chief financial officer of Target Corp., arrives to a Senate Judiciary Committee hearing in Washington, D.C. Feb. 4, 2014.

A top executive of retail giant Target apologized to lawmakers and consumers Tuesday for a massive cybersecurity breach that put customers’ financial information at risk at the height of the holiday shopping season last year.

“I want to say how deeply sorry we are for the impact this incident has had on our guests—your constituents,” John Mulligan, Target’s chief financial officer, said during a hearing of the Senate Judiciary Committee. “We will work with you, the business community and other thought leaders to find effective solutions to this ongoing and pervasive challenge.”

Target was joined by high-end retailer Neiman Marcus in humbling itself before the senators, after both suffered high-profile security breaches that have shed light on a problem for which the committee hopes to find a legislative fix. But the tone of the hearing, set by committee chairman Patrick Leahy (D-Vt.) and ranking member Sen. Chuck Grassley (R-Iowa), was congenial, with senators using the recent cyber attacks as case studies in the need for reform. That reform could include a recently introduced bill that would create federal standards for securing personal information and consumer notification in the event of an unauthorized breach.

“It is not easy to be the face of the industry which really bears a responsibility here for what I see as a record of failure,” said Sen. Richard Blumenthal (D-Conn.), who called on the Federal Trade Commission to investigate Target’s data breach in December. “This information is not yours, it’s entrusted to you, it belongs to the consumer. That kind of basic principle is the bedrock of this legislation—a standard of care, applied industry wide, and enforcement.”

“We can thank God that you provide a vital retail service, but you’re not putting down the electric grid, and you’re not putting the servers behind all of our banks and financial systems,” said Sen. Sheldon Whitehouse (D-R.I.). “This is a window into a much larger problem.”

Michael Kingston, the chief information officer of Neiman Marcus, said the cyber attack it suffered potentially exposed customers’ payment card account information at 77 of 85 stores, and 1.1 million credit and debit card accounts, between July and October of last year. The malware was so sophisticated, Kingston said, that Neiman Marcus didn’t fully understand the threat until early this year, and could not quell the attack until Jan. 10.

Mulligan said the Target intruder grabbed the payment card data of approximately 40 million customers, along with personal data including names, mailing addresses, phone numbers and email addresses of up 70 million customers, from Nov. 27 through Dec. 8. Target did not know of any specific malicious activity involving payment cards until the Justice Department notified the company on Dec. 12.

Symantec, a cyber security company, estimates that the global price tag of consumer cybercrime for 2013 was $113 billion, and the average cost per victim was nearly $300. The firm estimates that there are about 378 million victims of cybercrime per year.

8 comments
ThomasHall
ThomasHall

Americans have more to fear from hackers accessing their financial information that the NSA. It is about time that America caught up with Europe and use security chip technology. Only when corporations are sued or boycotted will they actually spend the money to upgrade their security.

BruceS78
BruceS78

VISA and Mastercard could eliminate this problem in a year simply by requiring all businesses to use card readers that only accept credit and debt cards that use a security chip that the Europeans use.  If the business community doesn't become proactive, then the government will intervene and I am sure that they won't like the government's solution.   

bobcn
bobcn

This afternoon a friend described to me a case of 'Identity Theft" that he's being dragged into.  An Apple store on the other side of the country sold two iPhones to someone posing as my friend.  This person also opened a new two year Verizon account in his name to get the phones.  

Apple is demanding that my friend file a police report -- dragging him into a mess that he had nothing to do with.  Both Apple and Verizon are treating my friend as though their error is somehow his responsibility.

I hate the term 'Identity Theft'.  It suggests that if a business is conned by someone posing as someone else that somehow YOUR identity has been compromised.  In fact it hasn't.  No one has ever lost his identity due to 'Identity Theft'.  You are still you.  The thief isn't you and never will be.   My friend's identity didn't somehow change because a theft occurred thousands of miles away at an Apple store.  My friend's identity wasn't stolen -- some iPhones were.

Businesses use the 'Identity Theft' excuse to shift the blame and costs they incur when they're ripped off due to their own insufficient security protocols.  They could avoid their problems by making changes that they simply don't want to make.  For example:

  • Support the security chip credit and debit cards that have been ubiquitous in Europe for years.  It costs money to ramp up the infrastructure, so they don't want to do it.
  • Require photos on all cards.  This is a small step but it would help in the case of stolen cards.  Bio-metric data would be even better and should eventually be required.
  • Stop allowing applications to be instantly approved.  Require mail verification (or some similar verification step that identifies the applicant's identity and location) before approving an application.  Businesses don't want to wait to sell you something so they don't like this (you might  change your mind about the purchase), but slowing down approvals to increase identity verification would substantially reduce 'Identity Theft'

'Identity Theft' is quickly becoming more common.  Businesses (and particularly the banks) are responding by trying to shift the costs when they are conned by thieves.   Congress must enact legislation  to require businesses to address the problem -- before this problem further destabilizes commerce in the US.  Waiting for a 'market based' solution guarantees that the problem will be shifted to the general populous and away from big business.  Legislation and regulation are necessary.

reallife
reallife

they should hire the company that worked on the obamacare website


LOL



john_rambo
john_rambo

I'm "deeply sorry" that I won't be shopping at this place any more given their concern with my fiscal privacy.

romano70
romano70

...and once again the US Congress is kissing CEO ass while the rest of America gets raped. Don't talk about solutions AFTER the breach again, talk about solutions to AVOUID the breach. Ask them to re-inforce their cybersecurity, to force them to go through internal audit cycles, to change the credit card format to the one used in Europe and Asia with a microchip! Asking them to spend $10 on monthly credit reports for all those buyers who are getting their credits scores slammed over the incompetence of retailers? That is NOTHING!!!!

EdwardE
EdwardE

ASIA FOR THE ASIANS, AFRICA FOR THE AFRICANS, WHITE COUNTRIES FOR EVERYONE!
If “anti-racists” are so unconcerned with race, how come they only have a problem with White Countries, White Cities, White Neighborhoods, White Workplaces, White schools?
I’ve never seen any “anti-racist” complain that any place is too brown and it has to become LESS brown to combat racism.
Who do they think they are kidding?
“Multiculturalism” = White GeNOcide
Anti-Racist is a code for anti-White.

jsfox
jsfox

@EdwardWPWW  WTF does this have top do anything you raving KKK lunatic