Target executives have admitted before a US Senate committee that it was not aware that sensitive data stores had been breached by hackers until the US Justice Department notified them late last year.
Patrick Leahy, a Vermont Democrat, asked Target CFO John Mulligan whether Target, the No. 3 US retailer, had been alterted to the attack by internal controls.
"Despite significant investment in multiple layers of detection that we had in our systems, we did not," Mulligan replied.
He said his company was "deeply sorry" for a cyber breach over the holiday shopping period in which about 40 million credit and debit card records were stolen, along with 70 million other records with personal customer data.
Mulligan and several other US retailers appeared before a a Senate Judiciary Committee to detail how they plan to protect customer data, following recent massive data breaches that compromised the personal information of millions of customers.
They bemoaned the sophistication of hackers and urged better collaboration with banks on anti-theft technology.
In a relatively collegial hearing executives of retailers Target and Neiman Marcus said hackers had found ways to penetrate their best security practices.
"I think what we've learned ... is that just having the tools and technology isn't enough in this day and age," Neiman Marcus Chief Information Officer Michael Kingston told the panel. "These attackers again are very, very sophisticated and they've figured out ways around that."
Neiman Marcus said the breach of its systems exposed payment card information from transactions in 77 of 85 stores between July and October last year but added that it found no indication that website or restaurant transactions were compromised and or that personal identification numbers were affected.
"The maximum number of account numbers in our stores at that time when they were exposed to the malware was 1.1 million accounts," Kingston told the panel. "But we do believe, because the malware was only operating at certain times, that the number is less than that."
Kingston and Mulligan are slated to testify again on Wednesday before a House of Representatives panel.
Chip and PIN
The companies, joined by lawmakers and a consumer advocates, suggested an accelerated move to a new type of payment cards known as "chip-and-PIN. They store customer information on computer chips and require users to type in personal identification numbers to make further breaches less likely.
"It is of concern to me that our payment card systems really do need improvement," Federal Trade Commission Chairwoman Edith Ramirez said at the hearing.
She later added: "Based on latest information available to us ... it's clear that companies need to do a lot more, that they continue to make basic mistakes."
Target said on Monday it was speeding up a planned $100 million program to implement the use of chip-enabled smart cards to protect against cyber theft. Mulligan said that investment would be split between installing new card readers and the cost of issuing chip-and-PIN cards.
Whether "chip-and-PIN" cards would have prevented the breaches at Target and Neiman Marcus in not clear, but experts say at the very least they make stolen data harder to re-use, a reason the technology has caught on widely in Europe and Asia.
They have met with much less enthusiasm in the United States, in part because losses to fraud - 5 cents for every $100 spent via plastic - have been manageable for merchants and their banks.
"We're talking about something that's widely used in Europe and could easily be imposed here much earlier," Senator Richard Blumenthal, a Connecticut Democrat, told retailers.
"I don't want to say that we've left the door unlocked in the retail industry, but the locks are a lot less sophisticated," he added later. "Industries have some soul searching to do on whether they've been sufficiently protective of the consumer information."
Mulligan urged closer collaboration with the financial industry to move collectively on chip-and-PIN.
"All of us need to move together simultaneously. It's a shared responsibility," he said.
Neiman Marcus's Kingston said he welcomed new standards that may set a higher bar for companies' security practices and better sharing of information about breaches with law enforcement agencies.
Some lawmakers are once again taking up an effort to pass legislation to regulate data breach responses after similar pushes gained little traction in the past.
"Anything that strengthens the security of data is a good thing," said the Justice Department's acting assistant attorney general, Mythili Raman.
But she cautioned: "Malware adapts every day, botnets adapt every day, criminals are early adopters of almost every kind of technology and our challenge is to stay ahead of them."