Target Chief Financial Officer John Mulligan testified before the U.S. Senate Judiciary Committee on Tuesday -- the first time Target publicly answered questions about the malware attack that compromised the credit and debit card information of 40 million customers.
Personal information for an additional 70 million customers is also believed to be at risk.
"To begin with I want to say how deeply sorry we are for the impact this has had on our guests," Mulligan said.
WHAT TARGET KNEW + WHEN THEY KNEW IT
Mulligan laid out the following timeline for the Senate committee:
DEC. 12: Justice Department notified Target of suspicious activity. Multiple investigations underway.
DEC. 15: Confirmation there was malware on the system, with a potential theft of data stolen. The malware was removed.
DEC. 19: Target began its notification process.
"We had in place multiple layers of protection including firewalls, malware detection, intrusion detection and prevention capabilities and data loss prevention tools," Mulligan said. "But the unfortunate reality is that we suffered a breach."
Mulligan said Target now has increased security and fraud detection in place, new cards have been issued, customers are being offered free credit monitoring for a year, and Target guarantees guests hold zero liability for fraudulent charges.
CHIP + PIN THE ANSWER?
Last month, Sen. Al Franken told Fox 9 that smart chip technology was one of his top concerns entering the hearing.
"There's this thing called EMV technology which is a smart chip that almost every industrialized country uses," Franken said. "In this country, we have about one-quarter of the credit and debit card transactions but we have one-half the fraud -- we're the target of hackers from overseas because of that."
Mulligan confirmed Target is accelerating its investment in smart chip technology, but why isn't chip and PIN widespread in the U.S. when the technology is 20 years old and widely used in Europe?
Target actually tried it in 2003.
"But without broad adoption there isn't a specific benefit for consumers," Mulligan said. "Other retailers having the ability to read that card, as well as the cards being issued with chip technology on them. Both pieces of the payment industry need to move together simultaneously."
That means getting the financial industry and card issuers onboard, which is an expensive move. And even with chip and PIN, or any new technology, security experts say it will forever be an ongoing game of cat and mouse.
"This is an ongoing war and the types of threats are changing all the time," Symantec Corp. Senior Vice President Fran Rosch testified.
While Target and Neiman Marcus were testifying Tuesday, the hearing was really aimed at all retailers and the payment industry. There is legislation in the works to help increase security and notification practices for all businesses.
WEB SECURITY: Loophole could make passwords irrelevant