WASHINGTON — Neiman Marcus executives on Tuesday defended their actions following a data breach at the luxury retailer that impacted 1.1 million of its customers.
In testimony before the Senate Judiciary Committee, Michael R. Kingston, senior vice president and chief information officer at Neiman Marcus Group Ltd. LLC, said the company did not learn it had a “problem” with its computer system until Jan. 2, which was followed by a forensics investigation and disabling the malware.
Kingston said Neiman’s merchant processor informed it on Dec. 13 that Visa had “an unknown number of fraudulently reported credit cards with a possible common point of purchase at a small number of Neiman Marcus stores.” While Neiman’s pressed for more information, the merchant processor did not respond until four days later, when it said 122 MasterCards were fraudulently used. Kingston said that because of the malware’s sophisticated antidetection devices, the retailer did not learn from its forensic investigators that it had an “actual problem” with malware in its system until Jan. 2. It notified customers eight days later.
Kingston said current evidence in the ongoing forensic investigation has revealed that the potential customer payment card account information that was compromised by the malware came from transactions at 77 of its 85 stores between July and October. He said there is no indication that transactions on its Web sites or restaurants were compromised and that no PIN numbers were stolen because Neiman Marcus does not use PIN pads at its stores.
“The policies of payment card brands protect our customers from any liability for any unauthorized charges if the fraudulent charges are reported in a timely manner,” Kingston said in his testimony. “Nonetheless, we have now offered to any customer who shopped with us in the last year at either Neiman Marcus Group stores or Web sites — whether their card was exposed to the malware or not — one year of free credit monitoring and identity-theft insurance,” Kingston said.
RELATED STORY: Washington Steps Up Data Security Focus >>
Senators grilled Target Corp. and Neiman’s executives on the data security breaches that have affected millions of consumers, probing the industry’s preparedness to prevent future attacks and legislation to establish national standards and breach notification.
Prior to the hearing, Sens. Richard Blumenthal (D., Conn.) and Ed Markey (D., Mass.) introduced legislation to help protect consumers’ personal and financial information from hackers.
Senate Judiciary Committee Chairman Patrick Leahy (D., Vt.), who has tried to advance his own data privacy legislation for years and held the hearing, said he is “alarmed by the recent data breaches at Target and Neiman Marcus and Michaels Stores.”
“The investigations into those cyber attacks are ongoing. Yet, it is already clear that these attacks have compromised the privacy and security of millions of American consumers, potentially putting one in three Americans at risk of identity theft and other cyber crimes,” Leahy said. “Public confidence is crucial to our economy. If consumers lose faith in business’ ability to protect their personal information, our economic recovery will falter.”
Target reported a breach in December that the retailer initially said affected 40 million consumers who purchased goods in stores and potentially had their debit and credit card information stolen. The retailer later said another 70 million consumers may have had personal data such as their names, addresses, e-mail addresses and phone numbers stolen.
John J. Mulligan, executive vice president and chief financial officer at Target, outlined in his testimony the timeline (from Dec. 12 to Dec. 19) and steps Target took to identify and neutralize the malware that was used in the data security breach and to the first notification to its customers.
“From the outset, our response to the breach has been focused on supporting our guests and strengthening our security,” Mulligan told the senators.
“The unfortunate reality is that we suffered a breach, and all businesses — and their customers — are facing increasingly sophisticated threats from cyber criminals,” Mulligan said
Mulligan said Target now plans to take several steps to tighten its security of consumer data, including “accelerating” its investment in chip technology for Target REDcards and stores’ point of sale terminals. “We believe that chip-enabled technologies are critical to providing enhanced protection for consumers,” Mulligan said.
He also noted that Target is investing $5 million in a campaign with the Better Business Bureau, the National Cyber Security Alliance and the National Cyber-Forensics & Training Alliance to raise public awareness about cyber security and the dangers of consumer scams.
Target has not seen any fraud on its proprietary debit and credit cards due to the breach and only a “low amount” of fraud on its Target Visa card, Mulligan said.
Sen. Dianne Feinstein (D., Calif.) said she has consistently met resistance from the business community on breach notification legislation establishing a time frame for companies to notify consumers about data security breaches.
“I believe that if somebody has an account or uses credit at your institution and their data is breached, they should be notified so they can protect themselves,” Feinstein said.
“We agree with that completely,” Target’s Mulligan said. “Our focus has been on having accurate national information balanced with providing that notice as quickly as possible.…We felt that given the scope and breadth [of the breach] that public dissemination was appropriate to let all of our guests know virtually immediately. It was on the front pages of newspapers [around the country],” Mulligan said.
But Feinstein challenged Mulligan, arguing that customers should be notified directly and individually.
As for Neiman’s, Kingston said, “Once we knew that we had criminal activity inside our systems and who the impact was, we reached out individually to our customers and in fact reached out to more customers [all customers who shopped in Neiman Marcus stores for the entire year] just to be cautious, because it is important to us that our customer understands this is our primary concern.”
Senators also pressed the retailers and other experts on the panel about implementing a more secure payment card system similar to one in Europe that embeds smart chips in payment cards and requires a separate PIN number to use.
“We have been proposing ‘Chip and Pin’ for a very long time,” Mulligan said. We are in the process of rolling it out to our stores…300 stores already have guest payment devices, and we are accelerating the $100 million investment to get those in our stores by the fourth quarter of this year, and then products we offer will have chips in them early next year.”
Kingston said Neiman Marcus does not currently use PIN pads in its stores but is willing to consider “anything that makes this process and consumer information safer, including Chip and Pin.”
“As a practical matter, it is important for the committee to understand that while the industry will be safer with that, there is a lot of work to do to make that happen,” Kingston said.