(Reuters) — U.S. companies that have fallen prey to hackers, exposing the private information of millions of customers, have often failed to take basic security precautions to protect client data, Illinois Attorney General Lisa Madigan told a congressional panel on Wednesday.
Ms. Madigan said previous investigations, conducted before the recent spate of high-profile breaches, had turned up repeated instances where companies allowed their systems to retain unencrypted data, failed to install software patches for known vulnerabilities and retained information longer than necessary.
Ms. Madigan said her office and that of Connecticut Attorney General George Jepsen are now leading a multistate investigation into recent data breaches that affected millions of customers of U.S. retailers Target Corp., Neiman Marcus Group L.L.C. and Michaels Stores Inc.
On Tuesday, top executives of Target and Neiman Marcus told the Senate Judiciary Committee that hackers had found ways to penetrate their best security practices. Both companies bemoaned the sophistication of hackers behind recent data breaches that exposed the private data of millions of their customers.
"During prior breach investigations, we have found instances when companies failed to take basic steps to protect consumer data," Ms. Madigan told the House Energy and Commerce committee. "So the notion that companies are already doing everything they can to prevent breaches is false."
The companies offered reasons for not deploying more secure technology that ranged from high costs to length of check-out times to disputes between banks and retailers, Ms. Madigan said.
"Frankly, it is negligent of the U.S. to fall behind the rest of the world when it comes to security of our payment systems," she said.
In testimony on Tuesday, Target Chief Financial Officer John Mulligan apologized for a cyber breach over the holiday shopping period in which about 40 million credit and debit card records were stolen, along with 70 million other records with personal customer information such as telephone numbers.
He told the committee the company had not been aware its systems had been hacked before being notified of the breach by the U.S. Justice Department.
The companies, joined by lawmakers and consumer advocates, suggested an accelerated move to a new type of payment cards known as "chip-and-PIN." Those cards store customer information on computer chips and require users to type in personal identification numbers to make further breaches less likely.
Some U.S. lawmakers are once again taking up an effort to pass legislation to regulate data breach responses after similar pushes gained little traction in the past.