Senators grilled executives from Target and Neiman Marcus Tuesday over a series of data breaches that took place during the 2013 Christmas shopping season.
John J. Mulligan, executive vice president and chief financial officer for the Target Corporation and Michael R. Kingston, senior vice president and chief information officer for the Neiman Marcus Group, took tough questions about the future of retail technology from the Senate Judiciary Committee.
“I’m a shopper at your institution, Mr. Kingston, and I don’t recall getting any notice that my data may have been breached,” Sen. Dianne Feinstein (D-Calif.) said. “When would I have had notice?”
Neiman Marcus has claimed their breach took place weeks earlier, but that they learned the malware that had been placed on their systems could scrape user data by Jan. 6. Kingston said the company began “immediately” notifying the 1.1 million customers potentially affected Jan. 22 — two weeks after they learned of the incident.
“So somewhere in my record, I should find record of a notice [that my data was breached]?” Feinstein pushed back on the notification angle for several minutes, insisting that individual and immediate notification of a potential breach is the only acceptable solution. Kingston said Nieman Marcus has notified all of its customers who shopped in the stores.
“Then I’ll go home and look for my notice,” Feinstein said.
Mulligan explained the Target Corporation didn’t wait until each Target “guest” could be individually notified, they figured releasing the news of the security breach to the press would get the information out faster and farther. Just four days after they found the malware Target began notifying customers who had given email addresses to the corporation. “Given the scope, we thought it appropriate that broad disclosure was the best path to go … through the media, our website, and social media,” he said.
In his opening remarks for the hearing, Mulligan apologized to Target customers.
“I want to say how deeply sorry we are for the impact this incident has had on our guests – your constituents,” he said. “We will learn from this incident and, as a result, we hope to make Target, and our industry, more secure for customers in the future.”
Sen. Orrin Hatch (R-Utah) asked the Target CEO what the company plans to do to improve data protection for online purchases.
“We can’t let the perfect get in the way of the good,” Mulligan said, and explained chip and pin technology, which requires users to enter a secure code to use the card, presents a two-layer approach which improves data security.
Sen. Chuck Grassley (R-Iowa) asked the panel what part the private sector should play, if any, in the lawmaking process, if the government were to implement regulations for safe transactions.
“I think private industry and government have to work together here,” said Mulligan, “It’s a shared responsibility [to protect consumer data] and communication between both the private sector and the public sector is important. We’ve had ongoing relationships and information sharing with law enforcement and that needs to happen more broadly … between private organizations more broadly and the government to find solutions here.”
Follow Elizabeth Kreft (@elizabethakreft) on Twitter.