WASHINGTON -- Stringent requirements must be put in place to ensure that customers are notified promptly when a data breach occurs, Sen. Diane Feinstein said Tuesday at a congressional hearing on preventing data breaches and cyber crime.
Executives from Target and Neiman Marcus, testifying before the Senate Judiciary Committee, detailed their responses to recent, massive data breaches. Neiman Marcus Senior Vice President Michael Kingston said the company first learned of a possible problem from its credit processor on Dec. 17 when Mastercard told the retailer that 122 fraudulently used credit cards had last been used at Neiman Marcus.
A forensic team on Jan. 2 confirmed the data breach, which ultimately compromised the accounts 1.1 million customers, Kingston said.
Feinstein, D-Calif., said she is a Neiman Marcus shopper and never received notification of the breach. Feinstein said she shopped at the store during the time the malware was stealing the data. Kingston said Neiman Marcus notified online and in-store customers on Jan. 22. The law should require prompt customer notification, Feinstein said.
"The public notification is always vague, it is non-specific," Feinstein said. "Then the customer finds out in other ways, sometimes brutal ways," that their personal data has been stolen.
Target Executive Vice President and Chief Financial Officer John Mulligan began his testimony with an apology for the data breach that exposed information involving 110 million Target customers.
"We know this breach has shaken their confidence in Target, and we are determined to work very hard to earn it back," Mulligan told the panel.
Target learned of the data breach on the evening of Dec. 12 when the Justice Department notified the company of suspicious activity involving payment cards used at Target stores. Mulligan said company officials met with the Justice Department and Secret Service the next day. On Dec. 14, Target hired an independent team of experts to conduct a forensic investigation.
That team confirmed Dec. 15 that "criminals had infiltrated our system, had installed malware on our point-of-sale network and had potentially stolen guest payment card data," Mulligan said. The same day, the company removed the malware "from virtually all registers in our U.S. stores."
The company disabled malware on 25 additional registers on Dec. 18, he said. Within a week of discovery of the breach, the public was notified, he added.
"We have been moving as quickly as possible to share accurate and actionable information with the public," Mulligan said, adding that the company had no knowledge of malware in its system before the Justice Department notification.
"Speed is very important in letting consumers know what's going on," but Target also considered the accuracy of the information they could deliver and whether there was anything the consumer could do, Mulligan said. He added that an "end-to-end" investigation of the breach is continuing.
An estimated 40 million Target credit and debit card accounts were breached late last year, compromising customers' credit and debit card numbers, expiration dates, PIN numbers and codes on the cards' magnetic strips. Also stolen was non-card personal information — names, phone numbers and email and mailing addresses — for up to 70 million Target customers who could have shopped before or after the Nov. 27-Dec. 15 period.
Still unknown is how the malicious software that was used to carry out the theft got into Target's computer system and how the hackers stole credentials from a Target vendor to enter the system. The identity of the vendor isn't known, either. The Secret Service has been investigating, and Attorney General Eric Holder has said the Justice Department is conducting a criminal probe.
Consumer Union, the policy and action division of Consumer Reports, is concerned about vulnerabilities in debit cards, which have fewer legal protections than credit cards, policy counsel Delara Derakhshani told the committee.
"While consumers might not ultimately be held responsible if someone steals their debit card and pin number, data thieves can still empty out consumers' bank accounts and set off a cascade of bounced checks and late fees, which victims will have to settle down the road," Derakhshani said. "The burden is being put on consumers to be vigilant to prevent future fraudulent use of their information."
Although Target, Neiman Marcus and other retailers have offered a year of free credit monitoring for customers whose accounts were breached, Derakhshani said such services have drawbacks. Many of the contracts with the credit monitoring services require consumers to agree to mandatory arbitration, giving up their right to go to court if disputes arise.
A digital chip system for storing account information on debit and credit cards by the fall of 2015. Compared with the current magnetic strips, it's a system that typically makes data theft harder and is common in other countries.
"Chip and PIN" technology could be adopted more quickly than the October 2015 deadline, Derakhshani said. Widespread adoption of technology would require massive changes that will be expensive for processors and retailers, she said.
"I think the answer comes down to money," Derakshani said.