Target apologizes for data breach, retailers embrace security upgrade

BOSTON/NEW YORK Mon Jan 13, 2014 11:15pm IST

The sign outside the Target store is seen in Arvada, Colorado January 10, 2014. REUTERS/Rick Wilking

The sign outside the Target store is seen in Arvada, Colorado January 10, 2014.

Credit: Reuters/Rick Wilking

Related Topics

Stocks

   

BOSTON/NEW YORK (Reuters) - Target Corp (TGT.N) began a major public relations effort on Monday to apologize to customers for an unprecedented cyber attack on its network, but the No. 3 U.S. retailer was vague in providing details about what it knew and when.

The company has so far disclosed that the breach started in late November and lasted 19 days over the peak holiday shopping season, resulting in the theft of about 40 million credit card records and 70 million other records containing customer data.

Target is trying to woo back customers after sales dropped off at the end of the holiday season. Its campaign included full-page newspaper advertisements on Monday apologizing for the attack and the first interview since the breach by chief executive Gregg Steinhafel.

He told CNBC TV business network that Target wanted to lead the retail industry's move to adopt payment card technology that stores customer information on computer chips and requires users to type in personal identification numbers.

On Sunday, a top executive with the National Retail Federation called for tougher security standards that could mean more spending for the industry, its banks and business partners following the breaches at Target and other retailers in the United States.

Steinhafel said he was proud of the way Target employees had responded once the breach was confirmed, yet he provided few details about what had happened.

Target disclosed on December 19 that it was victim to one of the biggest credit card breaches on record. It said it ran for 19 days in the busy holiday shopping season through December 15.

"We're going to get to the bottom of this," Steinhafel told CNBC. "We're not going to rest until we understand what happened and how that happened."

The company declined to say precisely when it first came to suspect its systems might have been compromised.

In the CNBC interview, Steinhafel said the company "confirmed" that it had been victim of a breach on December 15, but he provided no account of what happened in preceding weeks.

"December 15. That was the day we confirmed that we had an issue," he said.

Sources familiar with the investigation have previously told Reuters that Target learned about the attack only after receiving warnings from financial industry sources who reported seeing a surge in fraudulent credit card activity from accounts of customers who had shopped at the retailer.

Another retailer, Neiman Marcus, disclosed on Friday that it was warned about a possible breach in mid-December and that an outside forensics firm confirmed a breach on January 1, saying it found evidence that some payment card data may have been compromised.

Target and Neiman Marcus are not the only U.S. retailers whose networks were breached over the holidays, according to sources familiar with attacks on other merchants that have yet to be publicly disclosed.

Smaller breaches at least three other well-known U.S. retailers took place over the holiday season and were conducted using similar techniques as the one on Target, according to the people familiar with the attacks. Similar breaches may have occurred earlier last year.

Stores and card processing companies have reported a steady stream of security breaches for years without a major backlash from consumers, such as those disclosed by TJX Cos (TJX.N) in 2007 and by Heartland Payment Systems Inc (HPY.N) in 2009.

But the latest thefts could mark a watershed moment for security standards as calls grow for changes in the protection of consumer information.

'CHIP-AND-PIN' CARDS

One sign of the change is the new enthusiasm for "Chip-and-PIN" payment cards, which have computer chips built into them and require users to type in PINs.

Mallory Duncan, general counsel of the National Retail Federation that represents Target, Wal-Mart (WMT.N) and other stores, said on Sunday that the trade group encouraged its members to upgrade to the higher-security cards even though they cost more than old systems that store data on magnetic stripes.

The breaches are "unfortunate but we're not entirely surprised," Duncan said at his organization's annual convention in New York.

"The technology that exists in cards out there is 20th-century technology and we've got 21st-century hackers," he said.

Duncan said the trade group had only made its backing for the higher-security cards public since the Target breach. Banks have quietly begun to offer the cards but mainly for customers to use while traveling. Big U.S. card networks led by Visa Inc (V.N) will not require the higher security until next year at the earliest.

It is not clear that "Chip-and-PIN" technology would have prevented the breaches at Target and elsewhere. At the very least they make stolen data harder to re-use, a reason the technology has caught on widely in Europe and Asia.

They have met with much less enthusiasm in the United States, in part because losses to fraud - just 5 cents for every $100 spent via plastic - have been manageable for merchants and their banks. But rising fraud rates, and the risk of identity theft, could change the calculation.

The new scrutiny began after Target disclosed its breach. Investigators believe hackers used malware that captured data on customers from the magnetic stripes on their payment cards.

Duncan said no other members had told the NRF they had been breached.

Executives of several other companies said over the weekend that they were not aware of breaches at their companies. The executives included representatives of Sears Holdings Corp (SHLD.O), JCPenney Co (JCP.N), Macy's Inc (M.N) and Gap Inc (GPS.N).

Still, the breach was the talk of the retail conference with 29,000 attendees. Several speakers cited it in remarks and some tried to distance their companies from vulnerabilities.

Stan Lippelman, vice president of marketing at Bass Pro Shops, a privately-held outdoor goods seller, said: "We feel very comfortable with where we are at. But...the fact that it happens to Target means it can happen to anybody, right?"

(Additional reporting by Dhanya Skariachan in New York,; Bill Trott in Washington and; Sruthi Ramakrishnan in Bangalore; Editing by Stephen Coates and Grant McCool)

FILED UNDER:
Comments (0)
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.

  • Most Popular
  • Most Shared

Reuters Showcase

Sundar Pichai

Sundar Pichai

Google's Pichai to oversee major products and services  Full Article 

Fighting For Workers

Fighting For Workers

Ralph Nader urges Apple to reduce buybacks, improve wages - WSJ.  Full Article 

Cybercrime

Cybercrime

Hacker sentenced to 21 months in U.S. prison for $15 mln scheme.  Full Article 

Printed Instruments

Printed Instruments

3D printed instruments make sweet music in Sweden.  Video 

Tweet Debut

Tweet Debut

Britain's Queen Elizabeth sends her first tweet.  Full Article 

Artificial Intelligence

Artificial Intelligence

Google bolsters artificial intelligence efforts, partners with Oxford.  Full Article 

Future Uncertainty

Future Uncertainty

Ericsson flags North America slowdown.  Full Article 

Microsoft Earnings

Microsoft Earnings

Microsoft sales beat Street hopes, cloud profits up.  Full Article 

Looking To Sell

Looking To Sell

HP seeking buyers for corporate-networking business in China - WSJ.  Full Article 

Reuters India Mobile

Reuters India Mobile

Get the latest news on the go. Visit Reuters India on your mobile device.  Full Coverage