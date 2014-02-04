By Alina Selyukh
WASHINGTON Feb 4 U.S. retailers speaking to a
U.S. Senate panel on Tuesday bemoaned the sophistication of
hackers and urged better collaboration with banks on anti-theft
technology.
However, they revealed few new details of recent massive
data breaches that compromised the personal information of
millions of customers.
In a relatively collegial hearing before the Senate
Judiciary Committee, executives of retailers Target and
Neiman Marcus said hackers had found ways to
penetrate their best security practices.
"I think what we've learned ... is that just having the
tools and technology isn't enough in this day and age," Neiman
Marcus Chief Information Officer Michael Kingston told the
panel. "These attackers again are very, very sophisticated and
they've figured out ways around that."
Target Chief Financial Officer John Mulligan said his
company was "deeply sorry" for a cyber breach over the holiday
shopping period in which about 40 million credit and debit card
records were stolen, along with 70 million other records with
personal customer data.
Patrick Leahy, a Vermont Democrat, asked Mulligan whether
Target, the No. 3 U.S. retailer, had known that its systems had
been hacked before the U.S. Justice Department notified the
company of the breach in mid-December.
"Despite significant investment in multiple layers of
detection that we had in our systems, we did not," Mulligan
replied.
Neiman Marcus said the breach of its systems exposed payment
card information from transactions in 77 of 85 stores between
July and October last year but added that it found no
indication that website or restaurant transactions were
compromised and or that personal identification numbers were
affected.
"The maximum number of account numbers in our stores at that
time when they were exposed to the malware was 1.1 million
accounts," Kingston told the panel. "But we do believe, because
the malware was only operating at certain times, that the number
is less than that."
Kingston and Mulligan are slated to testify again on
Wednesday before a House of Representatives panel.
CHIP-AND-PIN
The companies, joined by lawmakers and a consumer advocates,
suggested an accelerated move to a new type of payment cards
known as "chip-and-PIN. They store customer information on
computer chips and require users to type in personal
identification numbers to make further breaches less likely.
"It is of concern to me that our payment card systems really
do need improvement," Federal Trade Commission Chairwoman Edith
Ramirez said at the hearing.
She later added: "Based on latest information available to
us ... it's clear that companies need to do a lot more, that
they continue to make basic mistakes."
Target said on Monday it was speeding up a planned $100
million program to implement the use of chip-enabled smart cards
to protect against cyber theft. Mulligan said that investment
would be split between installing new card readers and the cost
of issuing chip-and-PIN cards.
Whether "chip-and-PIN" cards would have prevented the
breaches at Target and Neiman Marcus in not clear, but experts
say at the very least they make stolen data harder to re-use, a
reason the technology has caught on widely in Europe and Asia.
They have met with much less enthusiasm in the United
States, in part because losses to fraud - 5 cents for every $100
spent via plastic - have been manageable for merchants and their
banks.
"We're talking about something that's widely used in Europe
and could easily be imposed here much earlier," Senator Richard
Blumenthal, a Connecticut Democrat, told retailers.
"I don't want to say that we've left the door unlocked in
the retail industry, but the locks are a lot less
sophisticated," he added later. "Industries have some soul
searching to do on whether they've been sufficiently protective
of the consumer information."
Mulligan urged closer collaboration with the financial
industry to move collectively on chip-and-PIN.
"All of us need to move together simultaneously. It's a
shared responsibility," he said.
Neiman Marcus's Kingston said he welcomed new standards that
may set a higher bar for companies' security practices and
better sharing of information about breaches with law
enforcement agencies.
Some lawmakers are once again taking up an effort to pass
legislation to regulate data breach responses after similar
pushes gained little traction in the past.
"Anything that strengthens the security of data is a good
thing," said the Justice Department's acting assistant attorney
general, Mythili Raman.
But she cautioned: "Malware adapts every day, botnets adapt
every day, criminals are early adopters of almost every kind of
technology and our challenge is to stay ahead of them."