Target Data Breach Puts Consumer Privacy on Senate Agenda

Source: Kevin Dooley / Flickr

The massive data breach that compromised as many as 40 million customer credit and debit cards and the personal data of another 70 million Target (NYSE:TGT) shoppers at the end of last year will catapult the retailer’s chief finance officer, John Mulligan, in front of the U.S. Senate Judiciary Committee on February 4 to discuss “privacy in the digital age,” with particular emphasis on “preventing data breaches and combating cybercrime.” It is expected this appearance will be the first time the company answers questions about the cyber attack, and lawmakers want to know how consumers were affected by the data breach and determine what tactics retailers can employ in the future to protect themselves from such damaging invasions.

In addition, the commerce, manufacturing, and trade subcommittee of the House of Representative’s Committee on Energy and Commerce will also be conducting a hearing of its own on February 3.

While Target has not detailed how the security of its network was breached and important data siphoned away, investigators believe the hackers installed Memory parser malware on cash registers or servers to extract encrypted magnetic-stripe data as it moves through the live memory of the computer, where it appears in plain text. Credit-card company Visa (NYSE:V) issued two warnings last year about the increase in cyber attacks, but it is unclear whether Target implemented the recommended protection measures.

However, a law enforcement source did inform Reuters last week that such security measures Visa outlined may not have been enough. The United States Secret Service, which has jurisdiction over credit-card fraud, is investigating several recent incidents.

“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” Gregg Steinhafel, the company’s chair, president, and chief executive officer, said in a January 10 press release. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”

In that release, Target provided an update to its expected fourth-quarter 2013 financial results. Since the news of the data breach has affected shopper’s confidence the retailer forecast a sales decline of approximately 2.5 percent from the fourth-quarter of 2012, while earnings per share now are expected to come in between $1.20 and $1.30, compared with prior guidance of $1.50 to $1.60.

Beginning last week, Democratic lawmakers in both the House of Representatives and the Senate began advocating for congressional inquiry into the cyber attacks at Target, the third largest retailer in the United States. At next month’s hearing before the Judiciary Committee — chaired by Democrat Senator Patrick Leahy of Vermont — representatives of the Federal Trade Commission, the Secret Service, and the Department of Justice will testify as well, according to the committee’s schedule. In 2005, Senator Leahy authored and sponsored the Personal Data Privacy and Security Act, reintroducing the legislation in each of the last four sessions of Congress.

“The recent data breach at Target involving the debit and credit card data of as many as 40 million customers during the Christmas holidays is a reminder that developing a comprehensive national strategy to protect data privacy and cybersecurity remains one of the most challenging and important issues facing our Nation,” said Leahy in a January 8 press release. “That is why today I am introducing the Personal Data Privacy and Security Act, a bill that aims to better protect Americans from the growing threats of data breaches and identity theft. This important issue will also be the focus of a hearing before the Judiciary Committee this year.”

Privately owned luxury retail chain Neiman Marcus acknowledged earlier in January that its systems had been hacked as well. In the middle of December, the company was informed by credit-card processors Visa, Mastercard (NYSE:MA), and Discover (NYSE:DFS) of possible unauthorized charges on the accounts of approximately 2,400 customers. Chief Executive Officer Karen Katz said on January 22 that data linked to about 1.1 million customer payment cards was compromised between July 16 to October 30. Additionally, as Reuters reported, data security breaches have occurred at three other well-known U.S. retailers as well, although those attacks have not yet been publicly disclosed.

As American shoppers increasingly use credit or debit cards instead of cash, retailers are creating huge stores of personal information that cyber thieves are anxious to acquire, and as credit and debit card use has grown in the United States, the incidence of fraud has correspondingly risen. Not only are fraud rates on the rise, but the absolute fraud numbers are massive. Only about 6 cents per every $100 spent using plastic is lost to fraud, but United States businesses lost $11.27 billion in fraud in 2012, an increase of 14.6 percent from 2011. The breaches of customer data at Target and Neiman Marcus this year illustrate in sharp relief the problem with United States credit system; even though fraud rates are increasing, businesses have yet to adopt widely-available technology, that would make credit card fraud much harder to commit.

Most other countries have abandoned the use of the magnetic strip on the back of a card to locate data. Instead, card cards are designed with an embedded chip that generates a new code for every transaction, making them very hard to counterfeit. That technology for computerized cards — known as EMV — has been around since the 1990s. Magnetic strips are comparatively much easier to fake, and the United States now has the highest incidence of credit card fraud.

Last year, this country experienced 47 percent of global fraud, while processing only 24 percent of global payments by volume, according to the Nilson Report, an industry publication. Still, after the data breaches at Target and Neiman Marcus, 2013 could be a watershed moment for the industry as more consumers call for their personal information to be better protected.

Follow Meghan on Twitter @MFoley_WSCS