Target Execs Had No Idea They Were Hacked Until the Government Told Them

Senators tangle over data-security regulations at hearing.

Customers check out at the cash register in a Target store on December 19, 2013 in Miami, Florida. Target announced that about 40 million credit and debit card accounts of customers who made purchases by swiping their cards at terminals in its U.S. stores between November 27 and December 15 may have been stolen.
National Journal
Brendan Sasso
Add to Briefcase
Brendan Sasso
Feb. 4, 2014, 7:18 a.m.

A Tar­get ex­ec­ut­ive test­i­fied on Tues­day that the com­pany was ob­li­vi­ous that hack­ers were steal­ing its cus­tom­ers’ in­form­a­tion un­til the gov­ern­ment in­formed the com­pany last month.

“Des­pite the sig­ni­fic­ant in­vest­ment and mul­tiple lay­ers of de­tec­tion that we had with­in our sys­tems, we did not [de­tect the breach],” John Mul­ligan, Tar­get’s ex­ec­ut­ive vice pres­id­ent and chief fin­an­cial of­ficer, said dur­ing a Sen­ate Ju­di­ciary Com­mit­tee hear­ing.

The Justice De­part­ment in­formed Tar­get of sus­pi­cious activ­ity in­volving its cus­tom­ers’ cred­it and deb­it cards on Dec. 12 last year. The com­pany wasn’t able to rid its sys­tems of the com­puter vir­us un­til Dec. 18, Mul­ligan said.

The breach af­fected as many as 110 mil­lion people who shopped at Tar­get between Nov. 27 and Dec. 18.

Mul­ligan test­i­fied that the hack­ers in­ser­ted a vir­us in­to the re­gisters in Tar­get stores. The vir­us, which went un­detec­ted by the com­pany’s vir­us-pro­tec­tion pro­grams, cap­tured pay­ment in­form­a­tion be­fore it could be en­cryp­ted in Tar­get’s sys­tem.

In ad­di­tion to cred­it- and deb­it-card num­bers, the hack­ers also cap­tured the names, mail­ing ad­dresses, phone num­bers, and email ad­dresses of mil­lions of cus­tom­ers. In some cases, the hack­ers were even able to ob­tain cus­tom­ers’ PIN num­bers, Mul­ligan said.

“I want to say how deeply sorry we are for the im­pact this in­cid­ent has had on our guests — your con­stitu­ents,” Mul­ligan said.

“We know this breach has shaken their con­fid­ence in Tar­get, and we are de­term­ined to work very hard to earn it back.”

He ar­gued that if cred­it- and deb­it-card com­pan­ies had used “Chip and PIN” tech­no­logy, it would have pro­tec­ted the cus­tom­er in­form­a­tion.

Mi­chael King­ston, seni­or vice pres­id­ent and chief in­form­a­tion of­ficer at Nei­man Mar­cus, said his com­pany real­ized that hack­ers had in­vaded its sys­tem on Jan. 2, and was able to get rid of the vir­us by Jan. 10. The breach may have af­fected about 1 mil­lion pay­ment cards, King­ston said.

Sev­er­al Demo­crats, in­clud­ing Ju­di­ciary Com­mit­tee Chair­man Patrick Leahy, have in­tro­duced bills that would em­power the gov­ern­ment to fine com­pan­ies that fail to im­ple­ment ad­equate pri­vacy and se­cur­ity safe­guards.

Sen. Charles Grass­ley, the rank­ing Re­pub­lic­an on the Ju­di­ciary Com­mit­tee, ar­gued that le­gis­la­tion should fo­cus only on vol­un­tary guidelines.

“In a world of crafty crim­in­als, it seems to me that one-size-fits-all ap­proach won’t work, or at least won’t work for every­body,” Grass­ley said. “In­stead, let’s see how the gov­ern­ment can part­ner with private busi­ness to strengthen data se­cur­ity.”

But Demo­crats em­phas­ized the im­port­ance of man­dat­ory se­cur­ity rules.

“Rights are not real un­less they are en­force­able,” said Sen. Richard Blu­menth­al, of Con­necti­c­ut.

What We're Following See More »
TURNING OVER 3,000 RUSSIAN ADS
Facebook to Cooperate with Congress
2 hours ago
WHY WE CARE
CALLS HIM A “FRIEND OF MINE”
Trump Praises Erdogan
2 hours ago
THE DETAILS
INFORMS CONGRESS RE: EXECUTIVE ORDER
Trump Makes Good on Promise of New North Korea Sanctions
4 hours ago
THE LATEST

President Trump this afternoon announced another round of sanctions on North Korea, calling the regime "a continuing threat." The executive order, which Trump relayed to Congress, bans any ship or plane that has visited North Korea from visiting the United States within 180 days. The order also authorizes sanctions on any financial institution doing business with North Korea, and permits the secretaries of State and the Treasury to sanction any person involved in trading with North Korea, operating a port there, or involved in a variety of industries there.

SUED FOR SIMILAR DESIGN
Ivanka to Court Over $785 Sandals
5 hours ago
THE DETAILS
DOESN’T KNOW WHEN
Trump Says He’ll Visit Puerto Rico
7 hours ago
THE DETAILS

"Seated next to Ukrainian President Poroshenko on his final day of meetings at the United Nations, Trump did not say when he might go to Puerto Rico, but spoke solemnly about the destruction to an island he said had been 'absolutely obliterated.'”

Source:
×
×

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.

Login