Until the FBI called in December, Target didn’t know anything about the breach that allowed hackers to steal 40 million debit- and credit-card numbers and 70 million other customer records, the company’s CFO told a Senate committee Feb. 4.
The company also didn’t know that 25 point-of-sale terminals were still infected with the BlackPOS malware for three days after it was first alerted to the break-in, during which attackers collected an additional 150 or so credit card numbers.
However, Target has also spent “hundreds of millions of dollars” on digital security, and plans to spend $100 million more to add support for microchip-enabled credit- and debit cards to its 1,800 U.S. stores by early 2015, six months earlier than it had planned, Target CFO John Mulligan said in testimony before the Senate Judiciary Committee (Video at NBC.).
Target is “deeply sorry” about the loss of 40 million credit and debit card records, and 70 million more data records containing customer email and street addresses, which Mulligan attributed to hackers sophisticated enough to discover ways to penetrate the company’s best defenses.
Among retailers, however, “best” is rarely adequate, according to Illinois Attorney General Lisa Madigan, who testified Feb. 5 about the progress being made in a multi-state investigation of data breaches at Target, Neiman Marcus Group LLC, and Michaels Stores, Inc., which her office is leading in tandem with that of Connecticut Attorney General George Jepsen.
Previous investigations have shown instances in which retailers ignored basic security measures to protect customer data due to the cost or inconvenience of fixing them, Madigan told the House Energy and Commerce, according to Reuters.
The chip-and-PIN smartcard-based debit-card security system, to which Target announced plans to migrate, is standard throughout much of the developed world, but not in the U.S., where retailers have resisted the expense of moving.
Target began testing chip-and-PIN cards in 2001, according to the Wall Street Journal, but stopped after three years because checkout lines moved more slowly using smartcards that those with only magnetic strips.
In an opinion piece posted at Target.com Feb. 3, Mulligan blames cost, awkward technology and a lack of agreement on standards among retailers for the failure of its experiment with smartcards.
Illinois’ attorney general doesn’t buy the implication that Target has been doing all it should be doing to secure its data, however. “Frankly, it is negligent of the U.S. to fall behind the rest of the world when it comes to security of our payment systems,” Madigan said. “The notion that companies are already doing everything they can to prevent breaches is false.”
Retailers are increasing the amount they spend on technology by about 4 percent per year, according market-researcher IDC’s retail practice, but continue to spend only about 2 percent of their IT budgets on security. IDC Retail Insights predicts retail spending on security will increase 5.7 percent in 2014 compared to last year, due to the breaches.
“Having the tools and technology isn’t enough in this day and age,” Neiman Marcus CIO Michael Kingston told the Senate committee. “It’s often how you deploy this technologies and what else are you doing, which goes back to make sure we’re sharing intelligence as much as we can.”
Gartner, Inc.’s retail surveys estimate security spending averages 4 percent of the retailers’ IT budgets, compared with 5.5 percent among banks and 5.6 percent at healthcare companies.
“It’s clear that companies need to do a lot more, that they continue to make basic mistakes,” Federal Trade Commission Chairwoman Edith Ramirez told the Senate Judiciary Committee Feb. 4, while urging them to expand the powers of the FTC to allow it to impose fines on retailers “that do not adequately protect their users’ data.”
“They don’t spend enough on isolating their payment card processing environment from the rest of their store networks and the public Internet,” Gartner analyst Avivah Litan told Reuters. “This leaves their cardholder data environment open to security holes that the criminals punch through.”
“At Target, we take our responsibilities to our guests very seriously, and this attack has only strengthened our resolve,” a Target statement quoted Mulligan as saying. “We will learn from this incident and, as a result, we hope to make Target and our industry more secure for consumers in the future.”
Image: Shutterstock.com/Ken Wolter