Target data breach went on after fix statement, executive says

Target’s massive data breach that exposed 40 million debit and credit card accounts during last year’s busy holiday shopping season went on longer than the company suspected, John Mulligan, the company’s chief financial officer, told a Senate panel Tuesday.

Three days after the company announced last month it had solved the breach by removing the malicious software from its system, transaction data were being stolen from another 25 checkout machines, Mr. Mulligan told to the Senate Judiciary Committee. It was the first Capitol Hill appearance for the retailer since the hacking episode was uncovered.

The machines were offline when the malware was removed and affected fewer than 150 additional customers, he said.

Last month Target, the nation’s third-largest retailer, said the intrusion, in addition to the theft of some credit and debit card information, left as many as 70 million customers with their names, phone numbers and addresses compromised or stolen.

The company is “deeply sorry” for the breach, Mr. Mulligan said, and has offered affected customers free credit monitoring. The Secret Service and the Department of Justice are working with Target to investigate the intrusion. Target may be investigated by the Federal Trade Commission if it is found negligent in protecting its customers’ data.

Lawmakers are working to help thwart hackers and protect consumers by introducing new legislation aimed at retailers, banks, the federal government and other entities, after a slew of retail-related data breaches came to light over the holiday season.

Upscale retailer Neiman Marcus Group revealed that 1.1 million credit and debit cards of its in-store customers may have been compromised by a breach last year, and Easton-Bell Sports, a maker of sports equipment and clothing, said hackers gained access to about 6,000 online shoppers’ information in December. Neiman Marcus Chief Information Officer Michael Kingston also testified before the committee.

The number of data breaches are escalating. At least 619 breaches occurred last year in America alone, compromising 57.8 million consumer records, according to Identity Theft Resource Center, a San Diego-based nonprofit. The breaches laid bare customers’ names, credit card numbers, and card security codes, the nonprofit said.

“Safeguarding American consumers and businesses from data breaches and cybercrime has been a priority of this committee since 2005,” said Senate Judiciary Committee Chairman Patrick J. Leahy, Vermont Democrat. “American consumers deserve to know when their private information has been compromised and what a business is doing in response to a cyberattack.”

The idea of a data-breach bill seems to be receiving bipartisan support on Capitol Hill. Mr. Leahy reintroduced his data security bill after hearing the news of the Target case.

A second bill was also reintroduced by Senate Homeland Security Committee Chairman Thomas R. Carper, Delaware Democrat, and Sen. Roy Blunt, Missouri Republican, this year after the hacking.

“We’re all trying to find a solution, we have a major problem we’re trying to deal with,” said Iowa Sen. Chuck Grassley, ranking Republican on the Senate Judiciary Committee. “Criminal hackers aren’t quitters. So companies must be vigilant in defending their systems, as well as in taking steps after an attack to warn customers and limit the damage.”

In a recent report to retailers, the FBI warned of the spread of malware that can penetrate a store’s cash registers, or so-called point-of-sale (POS) systems.

“We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms’ actions to mitigate it,” the FBI wrote in a report.

“The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially motivated cybercrime attractive to a wide range of actors,” the FBI said.