A top executive of retail giant Target apologized to lawmakers and consumers Tuesday for a massive cybersecurity breach that put customers’ financial information at risk at the height of the holiday shopping season last year.
“I want to say how deeply sorry we are for the impact this incident has had on our guests—your constituents,” John Mulligan, Target’s chief financial officer, said during a hearing of the Senate Judiciary Committee. “We will work with you, the business community and other thought leaders to find effective solutions to this ongoing and pervasive challenge.”
Target was joined by high-end retailer Neiman Marcus in humbling itself before the senators, after both suffered high-profile security breaches that have shed light on a problem for which the committee hopes to find a legislative fix. But the tone of the hearing, set by committee chairman Patrick Leahy (D-Vt.) and ranking member Sen. Chuck Grassley (R-Iowa), was congenial, with senators using the recent cyber attacks as case studies in the need for reform. That reform could include a recently introduced bill that would create federal standards for securing personal information and consumer notification in the event of an unauthorized breach.
“It is not easy to be the face of the industry which really bears a responsibility here for what I see as a record of failure,” said Sen. Richard Blumenthal (D-Conn.), who called on the Federal Trade Commission to investigate Target’s data breach in December. “This information is not yours, it’s entrusted to you, it belongs to the consumer. That kind of basic principle is the bedrock of this legislation—a standard of care, applied industry wide, and enforcement.”
“We can thank God that you provide a vital retail service, but you’re not putting down the electric grid, and you’re not putting the servers behind all of our banks and financial systems,” said Sen. Sheldon Whitehouse (D-R.I.). “This is a window into a much larger problem.”
Michael Kingston, the chief information officer of Neiman Marcus, said the cyber attack it suffered potentially exposed customers’ payment card account information at 77 of 85 stores, and 1.1 million credit and debit card accounts, between July and October of last year. The malware was so sophisticated, Kingston said, that Neiman Marcus didn’t fully understand the threat until early this year, and could not quell the attack until Jan. 10.
Mulligan said the Target intruder grabbed the payment card data of approximately 40 million customers, along with personal data including names, mailing addresses, phone numbers and email addresses of up 70 million customers, from Nov. 27 through Dec. 8. Target did not know of any specific malicious activity involving payment cards until the Justice Department notified the company on Dec. 12.
Symantec, a cyber security company, estimates that the global price tag of consumer cybercrime for 2013 was $113 billion, and the average cost per victim was nearly $300. The firm estimates that there are about 378 million victims of cybercrime per year.