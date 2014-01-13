By Ross Kerber, Phil Wahba and Jim Finkle
BOSTON/NEW YORK Jan 13 Target Corp
began a major public relations effort on Monday to apologize to
customers for an unprecedented cyber attack on its network, but
the No. 3 U.S. retailer was vague in providing details about
what it knew and when.
The company has so far disclosed that the breach started in
late November and lasted 19 days over the peak holiday shopping
season, resulting in the theft of about 40 million credit card
records and 70 million other records containing customer data.
Target is trying to woo back customers after sales dropped
off at the end of the holiday season. Its campaign included
full-page newspaper advertisements on Monday apologizing for the
attack and the first interview since the breach by chief
executive Gregg Steinhafel.
He told CNBC TV business network that Target wanted to lead
the retail industry's move to adopt payment card technology that
stores customer information on computer chips and requires users
to type in personal identification numbers.
On Sunday, a top executive with the National Retail
Federation called for tougher security standards that could mean
more spending for the industry, its banks and business partners
following the breaches at Target and other retailers in the
United States.
Steinhafel said he was proud of the way Target employees had
responded once the breach was confirmed, yet he provided few
details about what had happened.
Target disclosed on Dec. 19 that it was victim to one of the
biggest credit card breaches on record. It said it ran for 19
days in the busy holiday shopping season through Dec. 15.
"We're going to get to the bottom of this," Steinhafel told
CNBC. "We're not going to rest until we understand what happened
and how that happened."
The company declined to say precisely when it first came to
suspect its systems might have been compromised.
In the CNBC interview, Steinhafel said the company
"confirmed" that it had been victim of a breach on Dec. 15, but
he provided no account of what happened in preceding weeks.
"December 15. That was the day we confirmed that we had an
issue," he said.
Sources familiar with the investigation have previously told
Reuters that Target learned about the attack only after
receiving warnings from financial industry sources who reported
seeing a surge in fraudulent credit card activity from accounts
of customers who had shopped at the retailer.
Another retailer, Neiman Marcus, disclosed on Friday that it
was warned about a possible breach in mid-December and that an
outside forensics firm confirmed a breach on Jan. 1, saying it
found evidence that some payment card data may have been
compromised.
Target and Neiman Marcus are not the only U.S. retailers
whose networks were breached over the holidays, according to
sources familiar with attacks on other merchants that have yet
to be publicly disclosed.
Smaller breaches at least three other well-known U.S.
retailers took place over the holiday season and were conducted
using similar techniques as the one on Target, according to the
people familiar with the attacks. Similar breaches may have
occurred earlier last year.
Stores and card processing companies have reported a steady
stream of security breaches for years without a major backlash
from consumers, such as those disclosed by TJX Cos in
2007 and by Heartland Payment Systems Inc in 2009.
But the latest thefts could mark a watershed moment for
security standards as calls grow for changes in the protection
of consumer information.
'CHIP-AND-PIN' CARDS
One sign of the change is the new enthusiasm for
"Chip-and-PIN" payment cards, which have computer chips built
into them and require users to type in PINs.
Mallory Duncan, general counsel of the National Retail
Federation that represents Target, Wal-Mart and other
stores, said on Sunday that the trade group encouraged its
members to upgrade to the higher-security cards even though they
cost more than old systems that store data on magnetic stripes.
The breaches are "unfortunate but we're not entirely
surprised," Duncan said at his organization's annual convention
in New York.
"The technology that exists in cards out there is
20th-century technology and we've got 21st-century hackers," he
said.
Duncan said the trade group had only made its backing for
the higher-security cards public since the Target breach. Banks
have quietly begun to offer the cards but mainly for customers
to use while traveling. Big U.S. card networks led by Visa Inc
will not require the higher security until next year at
the earliest.
It is not clear that "Chip-and-PIN" technology would have
prevented the breaches at Target and elsewhere. At the very
least they make stolen data harder to re-use, a reason the
technology has caught on widely in Europe and Asia.
They have met with much less enthusiasm in the United
States, in part because losses to fraud - just 5 cents for every
$100 spent via plastic - have been manageable for merchants and
their banks. But rising fraud rates, and the risk of identity
theft, could change the calculation.
The new scrutiny began after Target disclosed its breach.
Investigators believe hackers used malware that captured data on
customers from the magnetic stripes on their payment cards.
Duncan said no other members had told the NRF they had been
breached.
Executives of several other companies said over the weekend
that they were not aware of breaches at their companies. The
executives included representatives of Sears Holdings Corp
, JCPenney Co, Macy's Inc and Gap Inc
.
Still, the breach was the talk of the retail conference with
29,000 attendees. Several speakers cited it in remarks and some
tried to distance their companies from vulnerabilities.
Stan Lippelman, vice president of marketing at Bass Pro
Shops, a privately-held outdoor goods seller, said: "We feel
very comfortable with where we are at. But...the fact that it
happens to Target means it can happen to anybody, right?"