Digital Transactions Authoritative, insightful and timely information for payments professionals
Target Corp. told a U.S. Senate committee Wednesday that the overlap in the number of consumers affected by the two-headed monster of its data breach may be 12 million or more. The nation’s No. 2 general retailer also said it is improving its data security in the wake of the breach it disclosed in December.
Target chief financial officer John Mulligan discussed these developments at a hearing of the Senate’s Commerce, Science and Transportation Committee about improving data security. It was at least the third time in two months that Mulligan has trudged up Capitol Hill to explain what went wrong at Target that enabled hackers to steal payment card data on 40 million customers and non-card data on 70 million consumers.
Many analysts have summed those two figures to say the breach affected up to 110 million consumers, even though Target has said there likely was some overlap. Mulligan today quantified that overlap for the first time.
“It is difficult to develop an accurate assessment of overlap between these two types of data, due in part to the partial nature of the information related to the file of 70 million individuals,” Mulligan’s written testimony says. “Our analysis indicates there is an overlap of at least 12 million guests in the two populations, and likely more.”
The panel’s Democratic majority staff issued a report called “A ‘Kill Chain’ Analysis of the 2013 Target Data Breach” criticizing Target for lax security and its slow response to warnings that hackers were infiltrating its computer system. Based mostly on press accounts and assessments from data-security firms, the report shed little new light on how the breach happened, but it includes a timeline of the breach's events and outlines steps Target could have taken to thwart the hackers.
The breach, which occurred between Nov. 27 and Dec. 15, apparently started after Russia-based hackers somehow stole network credentials Target had given to a small heating-ventilation-air conditioning contractor near Pittsburgh. Using those credentials, the hackers were able to work their way into Target’s payment card processing system and install malware on its point-of-sale equipment in its U.S. stores that copied card data. They parked the data on a Target server before exfiltrating the information out of the system and selling it on the black market. Before the hackers actually removed any data, however, a powerful intrusion-detection application called FireEye that Target had recently installed issued alerts to a Target technology center in India that something was amiss. Staff in India quickly notified Target’s Minneapolis headquarters, but no one there responded, according to Bloomberg Businessweek.
Mulligan outlined several steps Target is taking to improve data security, including more segmentation of its network, use of two-factor authentication, and adding a “white-listing” application to detect malware aimed at running its POS registers.
Mulligan also said Target is accelerating its $100 million investment to issue private-label chip cards to its customers and to be able to accept chip cards from all customers. “We have already installed approximately 10,000 chip-enabled payment devices in Target stores and expect to complete the installation in all Target stores by this September, six months ahead of schedule,” he said. “We also expect to begin to issue chip-enabled Target REDcards and accept all chip-enabled cards by early 2015.”
Another witness was Ellen Richey, chief enterprise risk officer and chief legal officer at Visa Inc. Richey urged Congress, as it considers various measures intended to improve data security and supersede the patchwork of breach-notification laws in 46 states and the District of Columbia, to tread carefully in prescribing technology.
“We would caution against legislating technology standards or mandating a specific security or payment technology, to avoid hindering the rapid rate of new payment innovations that are coming to market, especially mobile-wallet solutions that will leverage a range of new tools to authenticate payments and enhance security,” Richey said in her written testimony.
Asked about that point by a senator, Richey said that legislatively mandated technologies “tend to have unintended consequences.”
Richey also said Visa usually sees fraud on 2% to 5% of Visa cards compromised in a major breach, but so far the fraud percentage from Target is much lower, according to the Associated Press.
The hearing came two days after a pair of banks that issued cards compromised in the breach filed a federal lawsuit in Chicago accusing Target and Trustwave Holdings Inc. of negligence. Trustwave, the leading provider of Payment Card Industry data-security standard (PCI) auditing and related services, reportedly assessed Target as PCI compliant in September. Neither Target nor Trustwave would comment on the suit.
