However, they revealed few new details of recent massive data
breaches that compromised the personal information of millions of
In a relatively collegial hearing before the Senate Judiciary
Committee, executives of retailers Target and Neiman Marcus said
hackers had found ways to penetrate their best security practices.
"I think what we've learned ... is that just having the tools and
technology isn't enough in this day and age," Neiman Marcus Chief
Information Officer Michael Kingston told the panel. "These
attackers again are very, very sophisticated and they've figured out
ways around that."
Target Chief Financial Officer John Mulligan said his company was
"deeply sorry" for a cyber breach over the holiday shopping period
in which about 40 million credit and debit card records were stolen,
along with 70 million other records with personal customer data.
Patrick Leahy, a Vermont Democrat, asked Mulligan whether Target,
the No. 3 U.S. retailer, had known that its systems had been hacked
before the U.S. Justice Department notified the company of the
breach in mid-December.
"Despite significant investment in multiple layers of detection that
we had in our systems, we did not," Mulligan replied.
Neiman Marcus said the breach of its systems exposed payment card
information from transactions in 77 of 85 stores between July and
October last year but added that it found no indication that website
or restaurant transactions were compromised and or that personal
identification numbers were affected.
"The maximum number of account numbers in our stores at that time
when they were exposed to the malware was 1.1 million accounts,"
Kingston told the panel. "But we do believe, because the malware was
only operating at certain times, that the number is less than that."
Kingston and Mulligan are slated to testify again on Wednesday
before a House of Representatives panel.
The companies, joined by lawmakers and a consumer advocates,
suggested an accelerated move to a new type of payment cards known
as "chip-and-PIN. They store customer information on computer chips
and require users to type in personal identification numbers to make
further breaches less likely.
"It is of concern to me that our payment card systems really do need
improvement," Federal Trade Commission Chairwoman Edith Ramirez said
at the hearing.
She later added: "Based on latest information available to us ...
it's clear that companies need to do a lot more, that they continue
to make basic mistakes."
Target said on Monday it was speeding up a planned $100 million
program to implement the use of chip-enabled smart cards to protect
against cyber theft. Mulligan said that investment would be split
between installing new card readers and the cost of issuing
[to top of second column]
Whether "chip-and-PIN" cards would have prevented the breaches at
Target and Neiman Marcus in not clear, but experts say at the very
least they make stolen data harder to re-use, a reason the
technology has caught on widely in Europe and Asia.
They have met with much less enthusiasm in the United States, in
part because losses to fraud — 5 cents for every $100 spent via
plastic — have been manageable for merchants and their banks.
"We're talking about something that's widely used in Europe and
could easily be imposed here much earlier," Senator Richard
Blumenthal, a Connecticut Democrat, told retailers.
"I don't want to say that we've left the door unlocked in the retail
industry, but the locks are a lot less sophisticated," he added
later. "Industries have some soul searching to do on whether they've
been sufficiently protective of the consumer information."
Mulligan urged closer collaboration with the financial industry to
move collectively on chip-and-PIN.
"All of us need to move together simultaneously. It's a shared
responsibility," he said.
Neiman Marcus's Kingston said he welcomed new standards that may set
a higher bar for companies' security practices and better sharing of
information about breaches with law enforcement agencies.
Some lawmakers are once again taking up an effort to pass
legislation to regulate data breach responses after similar pushes
gained little traction in the past.
"Anything that strengthens the security of data is a good thing,"
said the Justice Department's acting assistant attorney general,
But she cautioned: "Malware adapts every day, botnets adapt every
day, criminals are early adopters of almost every kind of technology
and our challenge is to stay ahead of them."
(Additional reporting by Peter Cooney;
editing by Jim Loney, Ros Krasny, Lisa Von Ahn and Steve Orlofsky)
[© 2014 Thomson Reuters. All rights
Copyright 2014 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.