WASHINGTON A recently revealed cybersecurity breach at Neiman Marcus potentially exposed 1.1 million accounts to malware, but the upscale U.S. retailer believes the actual number affected was less than that, its chief information officer said on Tuesday.
U.S. retail executives including the chief financial officer of Target Corp (TGT.N) appeared before the Senate Judiciary Committee to answer questions about data breaches that exposed payment card and personal information of millions of customers to hackers in the last several months.
Target Chief Financial Officer John Mulligan apologized for the massive cyber theft over the holiday shopping period. About 40 million credit and debit card records were stolen, along with 70 million other records with customer information such as addresses and telephone numbers.
"I want to say how deeply sorry we are for the impact this incident has had on our guests - your constituents," Mulligan said in prepared remarks.
The No. 3 U.S. retailer is working hard to earn back the trust of its customers and "moving as quickly as possible to share accurate and actionable information with the public," he said.
Michael Kingston, chief information officer of Neiman Marcus, told the panel that payment card information from transactions at 77 of the company's 85 stores might have been exposed to malware between July and October.
"The maximum number of account numbers in our stores at that time when they were exposed to the malware was 1.1 million accounts," he said. "But we do believe because the malware was only operating at certain times that the number is less than that."
Kingston said there was no indication that the data breach had compromised transactions on the company's website or at its restaurants, and personal identification numbers were not compromised.
Committee Chairman Patrick Leahy, a Vermont Democrat, told Mulligan and other executives that U.S. consumers deserved to know when their private information had been compromised and what businesses were doing in response to cyberattacks.
"Public confidence is crucial to our economy," Leahy said. "If consumers lose faith in business' ability to protect their personal information, our economic recovery will falter."
Leahy asked Mulligan whether Target had known its systems had been hacked before the U.S. Justice Department notified the retailer of the breach.
"Despite significant investment in multiple layers of detection that we had in our systems, we did not," Mulligan replied.
U.S. lawmakers are holding a series of hearings this week on aspects of the data breaches.
On Monday, a top Secret Service agent joined a chorus urging lawmakers to do more to prevent the types of crimes that have come to light recently. Congress has wrestled for years with proposals for legislation on data security but has been unable to reach an agreement.
"All businesses - and their customers - are facing increasingly sophisticated threats from cyber criminals," said Mulligan. "To prevent this from happening again, none of us can go it alone."
On Monday Target said it was speeding up a planned $100 million program to implement the use of chip-enabled smart cards to protect against cyber theft.
The cards contain tiny microprocessor chips that encrypt personal data shared with sales terminals used by merchants. Stolen smart-card numbers would be useless without the chip.
(Additional reporting by Peter Cooney; Writing by Jim Loney; Editing by Ros Krasny and Lisa Von Ahn)