Bloomberg News

Target to Tell Congress It’s Exploring Slow Response to Hackers

March 26, 2014

Target Store

After the hacker attack became public in December, during the height of the holiday shopping season, it harmed Target Corp.’s reputation and fourth-quarter sales. Photographer: Patrick T. Fallon/Bloomberg

Target Corp. (TGT:US), scheduled to testify today about a data breach affecting millions of customers, plans to tell lawmakers it had clues about the attack weeks before responding and is exploring why it took so long to react.

After intruders entered Target’s systems on Nov. 12, some of their activities were detected and evaluated by security professionals, according to prepared remarks from Chief Financial Officer John Mulligan that were reviewed by Bloomberg. That was a month before the company was alerted to suspicious activity by the U.S. Justice Department, leading to an internal investigation that confirmed a breach on Dec. 15.

“We are asking hard questions about whether we could have taken different actions before the breach was discovered,” Mulligan said in remarks to be made before a U.S. Senate panel. “In particular, we are focused on what information we had that could have alerted us to the breach earlier; whether we had the right personnel in the right positions; and ensuring that decisions related to operational and security matters were sound.”

Molly Snyder, a spokeswoman for Minneapolis-based Target, declined to comment.

The testimony follows a report by Bloomberg Businessweek that found Target ignored warnings from its hacker-detection tools, leading to a breach that compromised 40 million credit card numbers -- along with 70 million addresses, phone numbers and other pieces of personal information.

‘Still Investigating’

“We are still investigating how the intruders were able to move through the system using higher-level credentials to ultimately place malware on Target’s point-of-sale registers,” Mulligan said. “The malware appears to have been designed to capture payment card data from the magnetic strip of credit and debit cards prior to encryption within our system.”

The Senate Committee on Commerce, Science and Transportation, which prepared a report ahead of the hearing, found that Target appears to have missed opportunities “to stop the attackers and prevent the massive data breach.”

After the attack became public in December, during the height of the holiday shopping season, it harmed Target’s reputation and fourth-quarter sales (TGT:US). The company’s U.S. comparable-store sales decreased 2.5 percent in the period. Target spent $61 million responding to the situation last quarter, including costs to investigate the incident and offer identity-theft services to customers. Insurance covered $44 million of the tab, leaving the company with an expense of $17 million in the period.

Technology Chief

The company is now searching for a new chief information officer following the departure of Beth Jacob, who resigned March 5 after holding the post since 2008. The new executive will help revamp Target’s information-security and compliance operations.

Target isn’t the only retailer to have had its systems attacked in the past year. Luxury department-store chain Neiman Marcus Group Ltd. said in January that about 1.1 million credit cards may have been compromised in a data breach. Days later, arts-and-crafts retailer Michaels Stores Inc. said some customer payment-card data may have been used fraudulently. Sears Holdings Corp. said last month that it was reviewing its systems to see whether it had been the victim of a breach.

To contact the reporter on this story: Renee Dudley in New York at rdudley6@bloomberg.net

To contact the editors responsible for this story: Nick Turner at nturner7@bloomberg.net Stephen West


Toyota's Hydrogen Man
LIMITED-TIME OFFER SUBSCRIBE NOW

Companies Mentioned

  • TGT
    (Target Corp)
    • $74.27 USD
    • 0.32
    • 0.43%
Market data is delayed at least 15 minutes.
 
blog comments powered by Disqus