Target CEO Gregg Steinhafel confirmed in a CNBC interview on Monday that he was made aware of the breach on December 15th and eliminating the malware was done the following day.
Target CEO confirmed zero liability and free credit reporting for guest affected by breach, which is status quo for this type of issue. As well as that malware installed on POS devices is what enabled thieves to steal 70 million customer cards, CVV numbers and encrypted PIN codes.
“We don’t know the full extent of what transpired, but what we do know was there was malware installed on our point-of-sale registers,” Steinhafel said. “We removed that malware so that we could provide a safe and secure shopping environment.”
Target has taken other actions to protect its customers too, Steinhafel said, such as taking down 13 phishing sites that were preying on confused shoppers.
The retail giant also made good on its promise to offer free credit monitoring and identity theft protection when, on Monday, impacted individuals were given the green light to begin the enrollment process for those services.
Officials initiated an investigation and began forensic work on Dec. 16, 2013, Steinhafel said, explaining the following day was spent setting up the call center and preparing store employees for customer queries. Target then prepared to notify the public and announced the breach on Dec. 19, 2013.
“We have seen almost no fraudulent activity on our Target REDcard,” Steinhafel said, explaining Target will offer zero liability to customers by paying for any fraudulent charges on cards as a result of the breach. “We have some very low-level activity on the legacy Target Visa card. That’s the only place that we’ve seen anything to this point.”
Looking forward, Steinhafel said that he would like to see Target take a lead role in shifting the U.S. from cards that use vulnerable magnetic strips to cards that contain encrypted chips and follow the EMV global standard for chip cards.
However, it is already an initiative that began gaining momentum in 2011 and is expected to really take off in October 2015, according to Randy Vanderhoof, executive director with the Smart Card Alliance.
Vanderhoof told SCMagazine.com on Monday that chip cards offer a bigger safety benefit because financial information is encrypted on the chip and can only be read when swiped through a card reader, which creates a unique one-time key only for that single transaction.
“The use of EMV cards wouldn’t have prevented a data breach, but it would have been less likely to have occurred because there would be no value to be gotten from stealing the payment data,” Vanderhoof said. “They couldn’t resell it to people to make counterfeit copies of the card.”
All this is not stopping consumer advocates and the spawning of more than a dozen lawsuits.
But on Tuesday, a Seattle law firm filed a new complaint against Target alleging that the retailer was warned in 2007 by a security expert about weaknesses in its point-of-sale systems.
The lawsuit accuses Target of ultimately ignoring a white paper by Neal Krawetz naming the company and other retail chains as potential targets of account theft. Among the allegations: that Target was negligent before the breach and then misleading to customers afterward.
Law firm Hagens Berman Sobol Shapiro is seeking class-action status for the suit, which was filed in federal court in the Northern District of California.
And with the news about Nieman Marcus breach, the offices of Connecticut Atty. Gen. George Jepsen and Illinois Atty. Gen. Lisa Madigan confirmed they are looking into the Neiman Marcus break-in. Who will be next?