(Reuters) — A senior official at Target Corp. told U.S. lawmakers on Tuesday the retailer was "deeply sorry" for the massive data breach it suffered over the holiday shopping period, and said it was determined to win back customers' trust.
In prepared testimony for his appearance before a U.S. Senate Judiciary Committee hearing probing the data breaches, John Mulligan, Target chief financial officer and executive vice president, said the cyber attack "has only strengthened our resolve."
"We will learn from this incident and, as a result, we hope to make Target, and our industry, more secure for customers in the future," he said.
The committee hearing is one of a series of congressional panels this week in response to the Target breach and other incidents.
Target, the No. 3 U.S. retailer, disclosed on Dec. 19 that it was a victim of one of the biggest credit card breaches on record. Mr. Mulligan said it affected customers who shopped at the company's U.S. stores from Nov. 27 through Dec. 18.
Some 40 million credit and debit card records were stolen from the retailer, along with 70 million other records with customer information such as addresses and telephone numbers.
"I want to say how deeply sorry we are for the impact this incident has had on our guests — your constituents," Mr. Mulligan told the committee in his prepared remarks. "We know this breach has shaken their confidence in Target, and we are determined to work very hard to earn it back."
Mr. Mulligan said the retailer started its investigation of the breach on Dec. 12 after being notified by the U.S. Justice Department of suspicious activity involving payment cards used at Target stores.
On Dec. 15, Target confirmed that criminals had infiltrated its system through the use of malware, and had potentially stolen payment card data, Mr. Mulligan said. On the same day, Target removed the malware from virtually all its U.S. sales registers.
"We now know that the intruder stole a vendor's credentials to access our system and place malware on our point-of-sale registers. The malware was designed to capture payment card data from the magnetic strip of credit and debit cards prior to encryption within our system," Mr. Mulligan said.
He added that the company's investigation later found that the malware also captured some encrypted data for personal identification, or PIN, numbers.
Mr. Mulligan said the company had taken a number of steps since the breach to strengthen its security, including a review of its entire network, increased fraud detection for its Target REDcard holders and accelerated investment in chip technology for its REDcards.
In an opinion piece on the Hill newspaper on Monday, Mr. Mulligan wrote that Target now hoped to implement its $100 million chip-enabled smart-card program by early 2015, more than six months ahead of its previous schedule.
The enhanced smart cards contain tiny microprocessor chips that encrypt personal data shared with sales terminals used by merchants. Stolen smart-card numbers would be useless without the chip.
Also scheduled to appear at the hearing on Tuesday is Neiman Marcus Group Senior Vice President Michael Kingston.
The Dallas-based luxury retailer has disclosed a data breach that compromised data from about 1.1 million cards.