Lisa Madigan, the Illinois attorney general, spoke at a
congressional hearing as lawmakers review whether retailers Target
Corp and Neiman Marcus Group LLC properly protected their customers'
information.
Top executives of Target and Neiman Marcus, which suffered major
data breaches last year that exposed private information of millions
of customers, testified in Congress for a second straight day,
saying the attacks were so sophisticated that they evaded their best
security practices.
Madigan warned, however, that past investigations of other data
breaches turned up repeated instances in which companies allowed
their systems to retain unencrypted data, failed to install software
patches for known vulnerabilities and kept information longer than
necessary.
"During prior breach investigations, we have found instances when
companies failed to take basic steps to protect consumer data,"
Madigan told a House Energy and Commerce Committee panel. "So the
notion that companies are already doing everything they can to
prevent breaches is false."
The companies and federal investigators are still trying to figure
out how hackers stole the data. Experts testified that the malware
used in the massive thefts was so complex and customized that common
network security systems could not detect it.
"I didn't hear a smoking gun," Representative Lee Terry, a
Republican from Nebraska, told reporters after the hearing held by
his commerce subcommittee. "But like (the retailers) said, their
audits aren't complete. We knew that coming in here and we'll
continue to have dialogue."
"It looked like it was a process failure," he said.
Target, the third-largest U.S. retailer, has said the theft of a
vendor's credentials helped cyber criminals steal about 40 million
credit and debit card records and 70 million other records with
customer information such as addresses and telephone numbers.
Luxury retailer Neiman Marcus has said a maximum of 1.1 million
accounts were exposed to malware during the breach of its computers
last year.
"At Neiman Marcus, we felt and feel very good about the high
standards of security that we had in place," Neiman's chief
information officer, Michael Kingston, said on Wednesday.
"Obviously, there will be lessons learned," he added
SOPHISTICATED CRIMINALS
Target announced this week it was speeding up a planned $100 million
program for a new type of payment card known as "chip-and-PIN,"
which stores information on computer chips and requires users to
type in personal identification numbers to make fraudulent use less
likely.
But security experts and IT service providers say moves like
Target's are a drop in the bucket as retailers defend against
increasingly complex cyber attacks.
[to top of second column] |
"As good as security factors are, these criminal organizations are
looking for ways to go around whatever security (restrictions) have
been set up," Secret Service agent William Noonan told Wednesday's
hearing.
Noonan said the data breaches at Target and Neiman Marcus were
separate, distinct attacks using different "criminal tools," but the
investigation had not yet revealed whether they were carried out by
the same group of hackers.
"These were very sophisticated, coordinated events and it was not
necessarily a singular actor," he said. "When you bring together a
coordinated group of sophisticated criminals, they will find" ways
around defenses.
The Secret Service is the lead agency investigating the recent
breaches.
NEXT STEPS
The companies, lawmakers and consumer advocates have suggested an
accelerated move to chip-enabled cards, which are already used
widely in Europe and Asia.
They have been met with much less enthusiasm in the United States,
in part because losses to fraud — 5 cents for every $100 spent via
plastic — have been manageable for merchants and their banks.
"Frankly, it is negligent of the United States to fall behind the
rest of the world when it comes to security of our payment systems,"
Madigan told lawmakers.
Federal Trade Commission Chairwoman Edith Ramirez asked lawmakers to
give the FTC, which investigates and enforces companies' privacy
standards, civil penalty authority, jurisdiction over nonprofits and
authority to set new rules "to enable us to deal with evolving risks
and harms."
The high-profile breaches have revived efforts in Congress to pass
legislation to regulate data breach responses, including potentially
setting a federal standard for how and when companies have to notify
consumers about a breach.
Currently, notification rules are set through a patchwork of state
laws, and questions about federal rules pre-empting states'
authority helped stall previous attempts to pass new data security
bills in Congress.
(Writing by Jim Loney; editing by Leslie Adler)
[© 2014 Thomson Reuters. All rights
reserved.] Copyright 2014 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |