IE 11 is not supported. For an optimal experience visit our site on another browser.

Senate grills Target CFO on data breach

Target CFO John Mulligan faced a Senate judiciary committee on Tuesday to answer tough questions about last year's massive breach that involved 40 million credit cards.Mulligan apologized twice in his opening remarks for the breach, saying the retailer is "deeply sorry." He reiterated that Target is "undertaking an end-to-end review of our entire network."The hearing focused broadly on data breach
Target CFO John Mulligan faced questions from a Senate committee about a massive data breach at the retailer last year.
Target CFO John Mulligan faced questions from a Senate committee about a massive data breach at the retailer last year.Steven Senne / AP

Target CFO John Mulligan faced a Senate judiciary committee on Tuesday to answer tough questions about last year's massive breach that involved 40 million credit cards.

Mulligan apologized twice in his opening remarks for the breach, saying the retailer is "deeply sorry." He reiterated that Target is "undertaking an end-to-end review of our entire network."

The hearing focused broadly on data breaches, not only the attack on Target. Sen. Chuck Grassley, R.-Iowa, noted the committee is concerned that several retailers have suffered attacks recently. 

The Target breach grabbed the most headlines due to its massive size, but Neiman Marcus and possibly craft retailer Michaels also suffered breaches in similar attacks last year. The FBI reportedly warned retailers that it uncovered about 20 attacks similar to the one at Target.

"This attack has only strengthened our resolve," Mulligan said in his opening statement.

At the hearing -- which also included testimony from representatives of security firms, Neiman Marcus and several government agencies -- Mulligan provided more details about the timeline of the attack. He also laid out Target's plans to boost security.

The Senate panel spoke at length about a major part of that plan: Target now plans to implement chip-and-PIN technology in its own credit cards by early 2015, about six months earlier than its previous goal. (Mulligan previewed those plans in an article he wrote for The Hill late Monday, ahead of the hearing.) 

Chip-and-PIN
That chip-and-PIN technology Mulligan referenced adds a smart microchip embedded in the credit card. Customers use a PIN number — rather than a signature — to complete the transaction. If card numbers are stolen, it's more difficult for thieves to create new cards because the chips are tough to copy. 

The chip-and-PIN system is widely used in Europe and Canada already. But U.S. retailers and credit-card issuers have been loath to spend the billions of dollars required to create an entirely new payment system.

Target itself launched an aborted campaign for chip-and-pin cards about 10 years ago, in a pilot program that involved its own Target Visa REDcard. Target canceled the effort after three years.

A chip-based system could add a level of security, but the technology wouldn't have stopped the 2013 Target breach or others like it, Dave Aitel, the CEO of security firm Immunity told NBC News.

The hackers reportedly used software to directly infect the card swipers that Target uses in its physical stores. This software, called a "RAM scraper," grabs credit card data as it is briefly unencrypted as it passes through the computer's memory.

"[Chip-and-PIN] isn't the final answer, and I think Target knows that on some level," Aitel said. "If the card data is stolen, unencrypted, [chip-and-PIN] is just as vulnerable to that type of attack. But it does make it more expensive for [thieves] to copy the card."

Fran Rosch, an executive at security firm Symantec, echoed Aitel's point in his own testimony on Tuesday.

"It's not a panacea," Rosch said. 

Still, he pointed out that chip-and-PIN technology keeps card data encrypted for a longer period. Plus, it's a form of what's called "two-factor authentication": added security that requires both something you have (the credit card) and something you know (the PIN number).

Mulligan, the Target CFO, spoke several times about the need for industry-wide solutions and support -- including banks, retailers and all other parts of the payments system.

"To prevent this from happening again, none of us can go it alone," he said. "We need to work together."

Difficult to legislate
Several of the witnesses testifying before the Senate on Tuesday will also appear at a similar House hearing on Wednesday.

In the House committee's memo about Wednesday's hearing, the group pointed out that federal law governs data security in only a handful of sectors: financial, health and children’s websites. But there is no federal law that mandates how breaches like Target's are handled. 

The Senate Judiciary Committee members asked the panel on Tuesday about suggestions for legislation or other guidelines related to data breaches. 

But Rosch, the Symantec executive, warned that any rules need to be "flexible enough" to account for the fact that technical attacks are ever-changing.

Michael Kingston, the chief information officer at Neiman Marcus, agreed.

"Standards are helpful," Kingston testified on Tuesday. "But as soon as we establish standards, the whole world knows about it ... and can come up with ways to defeat those standards."

Julianne Pepitone is a senior technology writer for NBC News Digital. Previously she was a staff writer at CNNMoney, where she covered large tech companies including Apple and Google, as well as the intersection of tech and media. Follow Julianne on Twitter at @julpepitone or email her at julianne.pepitone@nbcuni.com.