WASHINGTON — A top Target Corp. executive said Tuesday that the company tried to balance the need for customers to know about a computer breach with a desire to provide accurate information as it dealt with a cybertheft that affected up to 110 million customers.
In Target’s first appearance on Capitol Hill since one of the biggest heists of computerized data in American history, Chief Financial Officer John Mulligan described the hectic week between the time when Target first heard that its computer system may have been hacked and the time it told customers about the crime.
The company first took three days to confirm the presence of malware, then removed it from “virtually all registers in our U.S. stores,” Mulligan told members of the Senate Judiciary Committee. Then Target told payment processors and card networks about the trouble, fixed 25 more registers and prepared its employees for the onslaught of customer inquiries it expected when it let shoppers know of the breach.
Finally, on Dec. 19, a week after first hearing from the U.S. Justice Department about “suspicious activity involving payment cards,” Target announced the data breach publicly.
Mulligan’s testimony and the testimony of six others revealed a broad vulnerability to cyberthieves that must be addressed legislatively, said Minnesota Sens. Amy Klobuchar and Al Franken.
Franken asked Mulligan about published reports that Target’s cyber security system was “astonishingly” weak. Mulligan disagreed, but acknowledged that Target had no idea its computers had been hacked until the Justice Department called.