A contrite Target CFO John Mulligan quietly served as the whipping boy for the huge retailer during a hearing of the Senate Committee on Commerce, Science & Transportation yesterday, in which Chairman Jay Rockefeller (D-WV) and Sen. Ed Markey (D-MA) administered a tongue lashing.
“I think we can all agree that if Target—or any other company—is going to collect detailed information about its customers, they need to do everything possible to protect it from identity thieves. It is now well known that Target fell far short of doing this,” said Rockefeller. He then proclaimed that private companies like Target hold “vastly larger amounts” of sensitive personal data than does the government, “and they spend much less time and money protecting [it].”
In an opening statement in a hearing that also included FTC Chairwoman Edith Ramirez and University of Maryland (UMD) President Wallace Loh, Mulligan recounted how, on November 12 of last year, intruders falsely obtained credentials as Target-approved HVAC vendors and gained access to Target’s point of sale network to install malware in it. Target had no knowledge of the breach, Mulligan said, until receiving an alert of spurious activity from the Justice Department on December 12 and meeting with government officials the next day. Details of the breach were not released to the public until six days later, which was too long a lapse in the opinion of Rockefeller and other committee members.
“Signals were missed by management,” said Sen. Richard Blumenthal (D-CT). “The notification of the breach happened well before there was notification to consumers. There’s a question that arises in the minds of a lot of consumers: ‘Was there enough timely notification and what can be done to improve that pace in the future?’”
Markey questioned personnel selection in the data security department at Target headquarters. “To say that this is a surprise is just to say you’re not keeping up,” Markey scolded. “Five or six of the smartest young geeks in your company should have been asked what to do. They have access to the technology.”
After Loh testified that free credit reporting services for people involved in UMD’s breach was extended from one to five years following complaints, Markey chided Mulligan for not doing the same. “So Target just offered one year?” exclaimed the senator. “My concern is the same as Dr. Loh’s that one year is too brief a period of time.”
Mulligan provided an apology on Target’s behalf. “Let me reiterate how deeply sorry we are for the impact this incident has had on our guests—your constituents,” he said. “We are asking hard questions about whether we could have taken different actions before the breach was discovered that would have resulted in different outcomes. In particular, we are focused on what information we had that could have alerted us to the breach earlier—whether we had the right personnel in the right positions and ensuring that decisions related to operational and security matters were sound. We are working diligently to answer these questions.”
All in all it’s not been a good week for the big retailer. Earlier in the day, it was reported that banks affected by the customer credit card breach had filed a class action suit against Target and its corporate information security vendor Trustwave.