The fallout continues from the Target Corp. cybersecurity breach.
This story first appeared in the December 27, 2013 issue of WWD. Subscribe Today.
New Jersey politicians are the latest to weigh in on the data hacking. U.S. Sen. Robert Menendez (D., N.J.) said Thursday morning in front of a Target store in Jersey City that he wants the federal government to hold companies responsible when consumers’ financial data are stolen.
Target said last week that the details of about 40 million Target customer accounts — both credit and debit — had been stolen by hackers. The data breach occurred from Nov. 27 to Dec. 15 at the discounter’s U.S. stores.
Menendez, who is also a member of the Senate Banking Committee, said, “If in fact you have a company, whether it be Target or any other, that is not making the investment in their security process to ensure that what happened to Target doesn’t happen, then you have to question why a company would not do that.”
He also said he is probing whether the Federal Trade Commission can fine firms when such data breaches occur. If not, he said he plans to introduce legislation that would enable the FTC to do so.
In addition, State Sen. Kevin O’Toole (R., District 40) has requested New Jersey Acting Attorney General John Hoffman investigate the security breach at the discounter.
In a letter dated Dec. 24, O’Toole wrote in part: “While I am sure the seriousness of this news is not lost upon you and there are reports that the U.S. Department of Justice is conducting its own investigation, I ask that your office open an investigation into this matter to ensure that citizens of New Jersey are protected. We cannot sit idly by as hard-working New Jerseyans face the prospect of having their accounts raided, identities stolen and credit ratings destroyed.”
He requested in his letter that the state attorney general’s office “join the class filed by five other states to help customers from New Jersey that might be impacted.”
On Monday, the attorneys general for Connecticut, Massachusetts and New York, as well as the incoming attorney general for Oregon, were among those who reiterated pledges to help their respective constituents impacted by the breach to deal with the fallout.
RELATED STORY: Attorneys General Speak Out on Target Breach >>
Target said that Tim Baer, the retailer’s executive vice president and general counsel, on Monday hosted a call for attorneys general across the country to discuss the breach, and plans to hold a follow-up call the week of Jan. 6.
The company also said on its Web site that it is partnering with the Secret Service and U.S. Department of Justice on the “ongoing forensic and criminal investigation,” but was also quick to note Tuesday that “neither entity is investigating Target.”
Contradicting published reports, Target said Tuesday that neither encrypted nor unencrypted PIN data had been compromised in the breach. Calls and e-mails on Thursday to Target seeking updated information received no response.
Security breaches at retailers have been occurring on a semiregular basis, with some happening via malware placed on retailers’ networks, such as that with the Target breach.
Ronald Friedman, the retail practice leader and partner-in-charge of the Southern California region for financial services firm Marcum LLP, said, “In Europe, the cards have digital chips [embedded] to protect the information from being stolen. We have to change the way the credit cards are [produced] here. We have to block access to information. This is a wake-up call to do something here.”
In the U.S., credit cards and their debit counterpart use a magnetic strip to store account information that’s easy for thieves to replicate. Starting in fall 2015, credit card companies are supposed to replace the strips with digital chips that generate a unique code whenever the cards are used. That chip is supposed to make it harder for hackers to both steal the data and then produce fake cards.
While card holders might have reservations about what personal information may have been compromised at Target, investors didn’t have those concerns. They shrugged off the debacle and sent shares of the retailer up nearly 1.3 percent to close at $62.48 on Thursday in Big Board trading. The rise in the share price came despite analysts’ reports that said the retailer’s traffic definitely suffered over the pre-Christmas weekend as a result of the data breach even though Target offered an additional 10 percent off everything in the store to spur shoppers.
So far what is believed to be the largest hacking and data breach scheme ever prosecuted in the U.S. occurred in July, when federal prosecutors unsealed an indictment charging five men with targeting more than a dozen firms — including Carrefour SA, J.C. Penney Co. Inc., The Wet Seal Inc. and Heartland Payment Systems — that resulted in the theft of more than 160 million credit card numbers in the aggregate and more than $300 million in losses.
That indictment also listed four coconspirators who were not indicted. One of the four, Albert Gonzalez, was sentenced to 20 years in prison in 2010 for his role in leading a group of cyberthieves stealing more than 40 million credit and debt numbers in a Boston federal indictment for hacking into retailers’ wireless networks. The largest target in that scheme was The TJX Cos. Inc., which is believed to be the largest theft of card accounts at a retailer in the U.S.
In the TJX incident, the off-pricer experienced a breach affecting about 45.7 million credit and debit cards in 2005 and 2006. However, it wasn’t disclosed until January 2007. Later that year, the company established a reverse fund of $107 million, on an after-tax basis, to cover possible exposure in the cyberfraud scheme. It would ultimately put more than $200 million into that reserve, although it would later reduce the pool by $30.5 million.
The TJX computer intrusion episode took longer to reveal than the one affecting Target and touched more of that retailer’s customer accounts. And because of the difference between its corporate name and those of its nameplates, such as TJ Maxx and Marshalls, its brand equity wasn’t compromised to the same extent as some of its customers’ credit standing.
With 40 million card numbers stolen, the Target data breach is likely the second-largest in U.S. history involving a retailer.