By Alina Selyukh
WASHINGTON Feb 5 The Illinois official who is
leading a multi-state probe into recent high-profile data
breaches told U.S. lawmakers on Wednesday that companies whose
systems have been hacked often have failed to take basic
security precautions.
Lisa Madigan, the Illinois attorney general, spoke at a
congressional hearing as lawmakers review whether retailers
Target Corp and Neiman Marcus Group LLC
properly protected their customers' information.
Top executives of Target and Neiman Marcus, which suffered
major data breaches last year that exposed private information
of millions of customers, testified in Congress for a second
straight day, saying the attacks were so sophisticated that they
evaded their best security practices.
Madigan warned, however, that past investigations of other
data breaches turned up repeated instances in which companies
allowed their systems to retain unencrypted data, failed to
install software patches for known vulnerabilities and kept
information longer than necessary.
"During prior breach investigations, we have found instances
when companies failed to take basic steps to protect consumer
data," Madigan told a House Energy and Commerce Committee panel.
"So the notion that companies are already doing everything they
can to prevent breaches is false."
The companies and federal investigators are still trying to
figure out how hackers stole the data. Experts testified that
the malware used in the massive thefts was so complex and
customized that common network security systems could not detect
it.
"I didn't hear a smoking gun," Representative Lee Terry, a
Republican from Nebraska, told reporters after the hearing held
by his commerce subcommittee. "But like (the retailers) said,
their audits aren't complete. We knew that coming in here and
we'll continue to have dialogue."
"It looked like it was a process failure," he said.
Target, the third-largest U.S. retailer, has said the theft
of a vendor's credentials helped cyber criminals steal about 40
million credit and debit card records and 70 million other
records with customer information such as addresses and
telephone numbers.
Luxury retailer Neiman Marcus has said a maximum of 1.1
million accounts were exposed to malware during the breach of
its computers last year.
"At Neiman Marcus, we felt and feel very good about the high
standards of security that we had in place," Neiman's chief
information officer, Michael Kingston, said on Wednesday.
"Obviously, there will be lessons learned," he added
SOPHISTICATED CRIMINALS
Target announced this week it was speeding up a planned $100
million program for a new type of payment card known as
"chip-and-PIN," which stores information on computer chips and
requires users to type in personal identification numbers to
make fraudulent use less likely.
But security experts and IT service providers say moves like
Target's are a drop in the bucket as retailers defend against
increasingly complex cyber attacks.
"As good as security factors are, these criminal
organizations are looking for ways to go around whatever
security (restrictions) have been set up," Secret Service agent
William Noonan told Wednesday's hearing.
Noonan said the data breaches at Target and Neiman Marcus
were separate, distinct attacks using different "criminal
tools," but the investigation had not yet revealed whether they
were carried out by the same group of hackers.
"These were very sophisticated, coordinated events and it
was not necessarily a singular actor," he said. "When you bring
together a coordinated group of sophisticated criminals, they
will find" ways around defenses.
The Secret Service is the lead agency investigating the
recent breaches.
NEXT STEPS
The companies, lawmakers and consumer advocates have
suggested an accelerated move to chip-enabled cards, which are
already used widely in Europe and Asia.
They have been met with much less enthusiasm in the United
States, in part because losses to fraud - 5 cents for every $100
spent via plastic - have been manageable for merchants and their
banks.
"Frankly, it is negligent of the United States to fall
behind the rest of the world when it comes to security of our
payment systems," Madigan told lawmakers.
Federal Trade Commission Chairwoman Edith Ramirez asked
lawmakers to give the FTC, which investigates and enforces
companies' privacy standards, civil penalty authority,
jurisdiction over nonprofits and authority to set new rules "to
enable us to deal with evolving risks and harms."
The high-profile breaches have revived efforts in Congress
to pass legislation to regulate data breach responses, including
potentially setting a federal standard for how and when
companies have to notify consumers about a breach.
Currently, notification rules are set through a patchwork of
state laws, and questions about federal rules pre-empting
states' authority helped stall previous attempts to pass new
data security bills in Congress.