Target Corp. (TGT:US), scheduled to testify today about a data breach affecting millions of customers, plans to tell lawmakers it had clues about the attack weeks before responding and is exploring why it took so long to react.
After intruders entered Target’s systems on Nov. 12, some of their activities were detected and evaluated by security professionals, according to prepared remarks from Chief Financial Officer John Mulligan that were reviewed by Bloomberg. That was a month before the company was alerted to suspicious activity by the U.S. Justice Department, leading to an internal investigation that confirmed a breach on Dec. 15.
“We are asking hard questions about whether we could have taken different actions before the breach was discovered,” Mulligan said in remarks to be made before a U.S. Senate panel. “In particular, we are focused on what information we had that could have alerted us to the breach earlier; whether we had the right personnel in the right positions; and ensuring that decisions related to operational and security matters were sound.”
Molly Snyder, a spokeswoman for Minneapolis-based Target, declined to comment.
The testimony follows a report by Bloomberg Businessweek that found Target ignored warnings from its hacker-detection tools, leading to a breach that compromised 40 million credit card numbers -- along with 70 million addresses, phone numbers and other pieces of personal information.
“We are still investigating how the intruders were able to move through the system using higher-level credentials to ultimately place malware on Target’s point-of-sale registers,” Mulligan said. “The malware appears to have been designed to capture payment card data from the magnetic strip of credit and debit cards prior to encryption within our system.”
The Senate Committee on Commerce, Science and Transportation, which prepared a report ahead of the hearing, found that Target appears to have missed opportunities “to stop the attackers and prevent the massive data breach.”
After the attack became public in December, during the height of the holiday shopping season, it harmed Target’s reputation and fourth-quarter sales (TGT:US). The company’s U.S. comparable-store sales decreased 2.5 percent in the period. Target spent $61 million responding to the situation last quarter, including costs to investigate the incident and offer identity-theft services to customers. Insurance covered $44 million of the tab, leaving the company with an expense of $17 million in the period.
The company is now searching for a new chief information officer following the departure of Beth Jacob, who resigned March 5 after holding the post since 2008. The new executive will help revamp Target’s information-security and compliance operations.
Target isn’t the only retailer to have had its systems attacked in the past year. Luxury department-store chain Neiman Marcus Group Ltd. said in January that about 1.1 million credit cards may have been compromised in a data breach. Days later, arts-and-crafts retailer Michaels Stores Inc. said some customer payment-card data may have been used fraudulently. Sears Holdings Corp. said last month that it was reviewing its systems to see whether it had been the victim of a breach.
To contact the reporter on this story: Renee Dudley in New York at email@example.com
To contact the editors responsible for this story: Nick Turner at firstname.lastname@example.org Stephen West