WASHINGTON–A Target executive told a full Senate Judiciary Committee Tuesday the retailer had no knowledge of the malware on its system until the Justice Department notified it of the security breach on the evening of Dec. 12.
John J. Mulligan, Target executive vice president and chief financial officer, also said a move to chip-and-PIN technology would cost Target $100 million.
He added that Target explored chip-and-pin Target Visa REDcards almost 10 years ago, but the program was later cancelled.
Mulligan also confirmed what has been reported about the breach: the theft included personal data and included both point-of-sale malware and stolen vendor credentials.
As the forensic investigation continued, Mulligan said Target learned that the malware also captured some strongly encrypted PIN data.
Mulligan said social security numbers were not compromised during the breach that impacted 40 million debit and credit card accounts.
“We are working closely with the U.S. Secret Service and the U.S. Department of Justice on the investigation – to help bring to justice the criminals who perpetrated this wide-scale attack on Target,” Mulligan said.
Michael Kingston, senior vice president and chief information officer of The Neiman Marcus Group, told the committee that PIN data was not compromised in the data breach suffered by Neiman Marcus in December since the retailer does not use PIN pads.
Committee member Sen. Dianne Feinstein (D-Calif.) said in the past, she found retailers did not want to notify individual customers of breaches. Any data security bill should require such notification, she declared.
Sen. Al Franken (D-Minn.) agreed federal law should set data security standards for retailers and financial institutions, and require retailers to tell their customers when their data has been stolen.