Target security breach lasted longer than previously thought


WASHINGTON — A Target Corp. official told a Senate committee that a massive security breach affecting up to 110 million holiday shoppers lasted three days longer than previously thought.

Chief Financial Officer John Mulligan disclosed the latest information in written testimony at a hearing Tuesday before the Senate Judiciary Committee, which is considering ways to protect consumers’ personal information.

The malicious software that enabled hackers to steal information from credit and debit cards from Nov. 27 to Dec. 15 was later found on 25 additional checkout machines and continued to collect shoppers’ information for three more days, Mulligan wrote.


Mulligan, who also testified at the committee hearing, said the additional machines were missed when Target initially scrubbed its computer systems of the malware because those registers were offline.

The additional theft, which Target had not previously disclosed publicly, affected fewer than 150 customers, he said. The strike against the company was one of the largest cyberthefts at a single retailer.

In the aftermath of the holiday attacks against Target and upscale retailer Neiman Marcus, senators began efforts to tighten data-breach notification requirements, increase enforcement and improve technology to prevent future security lapses.

Sen. Dianne Feinstein (D-Calif.) called for notifying customers directly after a breach has occurred, a policy she and three Democratic colleagues wrote into legislation introduced last week.

Feinstein, who said she shopped at Niemen Marcus while customers’ payment card data were at risk, complained she hadn’t been directly notified that an attack had taken place or that her personal information might have been released.

“The public notification is always vague,” Feinstein said, noting that many consumers learn about breaches only after media reports. “You really don’t know, and then you find out kind of brutally in other ways.”


After a breach in Neiman Marcus’ system left as many as 1.1 million payment cards exposed, some criticized the retailer for the delayed notification.

Although it learned Dec. 17 that one of its stores might be the common point for more than 100 fraudulent credit cards, the company did not confirm the existence of malware until Jan. 2, said Michael Kingston, a Neiman senior vice president. Neiman Marcus began notifying customers and the public Jan. 10 after stopping the malware.

Mythili Raman, acting assistant attorney general for the criminal division, called for standards requiring businesses to provide swift notification after consumer data have been compromised.

The financial and retailing industries have blamed one another for the security lapses. Bankers have complained that retailers do not take adequate precautions to secure customer data. Retailers have blamed antiquated credit card technology for putting private information at risk.

U.S. credit and debit cards store information on a magnetic strip, a technology at least 30 years old. Plans are underway to update the card system with digital chips by October 2015.

Target’s Mulligan said the new technology “would have rendered the account numbers taken far less useful.”


Target is aiming to install hardware accommodating the chips six months before the cards switch over, he said. By early 2015, the retail giant also hopes to install digital chips in its store payment cards, known as Redcards.

Retailers and consumer advocates want to go one step further, though, requiring consumers to use a PIN with purchases. Cards with chips and PINs have helped reduce store fraud in Europe, where the technology is widely used, said Fran Rosch, a top executive at computer security firm Symantec Corp.

Senators also are considering greater oversight and enforcement. During a banking subcommittee hearing Monday, Sen. Elizabeth Warren (D-Mass.) called for granting the Federal Trade Commission more power to investigate breaches.

“The FTC should have the enforcement it needs to protect consumers, and it looks to me like it doesn’t have that authority right now,” Warren said. “Data security problems aren’t going away on their own, so Congress really needs to consider whether to strengthen the FTC’s hand.”

The Target breach involved 40 million payment card numbers and as many as 70 million customers’ names, home addresses, email addresses and phone numbers.