Target reveals more details on data breach

Star Tribune (Minneapolis)February 5, 2014 

WASHINGTON — A top Target Corp. executive on Tuesday said the company tried to balance the need for customers to know about a computer breach with a desire to provide accurate information as it dealt with a cybertheft that affected up to 110 million customers.

In Target’s first appearance on Capitol Hill since one of the biggest heists of computerized data in American history, Chief Financial Officer John Mulligan described the hectic week between the time when Target first heard that its computer system may have been hacked and the time it told customers about the crime.

The company first took three days to confirm the presence of malware, then removed it from “virtually all registers in our U.S. stores,” Mulligan said.

Then Target told payment processors and card networks about the trouble, fixed 25 more registers and prepared its employees for the onslaught of customer inquiries it expected when it let shoppers know of the breach.

Finally, on Dec. 19, a week after first hearing from the U.S. Justice Department about “suspicious activity involving payment cards,” Target announced the data breach publicly.

“Our view is there’s a need for a balance to be struck,” Mulligan told members of the Senate Judiciary Committee. Customers had to be told, Mulligan said, but they also deserved accurate information as they tried to protect themselves.

Mulligan’s testimony and the testimony of six others revealed a broad vulnerability to cyberthieves that must be addressed legislatively, said Minnesota Sens. Amy Klobuchar and Al Franken, both Democratic members of the judiciary committee.

Franken called cyberattacks “systemic” at a time when the federal government imposes no cybersecurity standards or cybercrime reporting requirements.

Franken asked Mulligan about published reports that Target’s cyber security system was “astonishingly” weak. Mulligan disagreed, telling Franken that the company has spent “hundreds of millions of dollars” on a multilayered consumer protection protocol.

Still, Target had no idea its computers had been hacked until the Justice Department called, Mulligan acknowledged. He promised an “end-to-end review” and “security enhancements.”

Among them is a plan to spend $100 million upgrading anti-theft technology used in the company’s proprietary credit and discount cards, called REDcards. The technology involves computer chips and personal identification numbers now in use in Europe. It includes updating card readers in 1,800 Target stores and should be ready by early 2015, the company said in a release Tuesday.

Mulligan further reported that to date, Target has seen no fraud activity on its proprietary credit and discount cards due to the breach and “a very low amount of additional fraud on our Target Visa card.”

The News Tribune is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service