WASHINGTON (Reuters) – The Secret Service is urging U.S. lawmakers to do more to prevent the types of cyber thefts of consumer information that recently have hit Target Corp and other major retailers.
“Legislative action could help to improve the nation’s cybersecurity, reduce regulatory costs on U.S. companies, and strengthen law enforcement’s ability to conduct effective investigations,” said William Noonan, a top agent with the Secret Service’s cyber operations branch.
Noonan testified at a Senate Banking subcommittee hearing on safeguarding consumer financial data, the first of a series of panels scheduled this week in response to the Target breach and other incidents.
Target, the No. 3 U.S. retailer, was hit by a massive cyber theft over the holiday shopping period. Some 40 million credit and debit card records were stolen, along with 70 million other records with customer information such as addresses and telephone numbers.
While the Secret Service has been the lead player in the Target investigation, Noonan discussed its information-sharing efforts on cyber crime with other federal agencies as well as international law enforcement bodies such as Interpol.
Noonan focused on the transnational nature of cyber crimes, including “network intrusions, hacking attacks, malicious software, and account takeovers leading to significant data breaches affecting every sector of the world economy.”
“The recently reported data breaches of Target and Neiman Marcus are just the most recent, well-publicized examples of this decade-long trend,” Noonan said.
Luxury department store operator Neiman Marcus in late January said that about 1.1 million customer payment cards may have been exposed during a data breach that occurred from July 16 to October 30 last year.
Congress has been wrestling for years with proposals for legislation on data security, but has been unable to reach agreement. There is, for example, no national standard to govern how and when businesses that suffer consumer data breaches much advise their customers and federal agencies.
On Tuesday senior officials from Target and Neiman Marcus are scheduled to testify at a Senate Judiciary Committee hearing about recent data breaches.
DATA BREACH DETECTED AT MARRIOTT, SHERATON HOTEL CHAINS
(Reuters) – A credit card data breach has been detected that exposed guests at certain Marriott, Holiday Inn, Sheraton and other hotel properties to theft, hotel management firm White Lodging Services Corp said on Monday.
The breach occurred at food and beverage outlets at 14 hotels, including some operated under the Westin, Renaissance and Radisson names, between March 20 and December 16 last year, White Lodging said in a statement.
The company said information subject to potential theft by cyber criminals included names and numbers on consumers’ debit or credit cards, security codes and card expiration dates.
Customers who used their cards at the affected outlets should review all statements from the time in question and consider placing fraud alerts on their credit files, White Lodging said.
White Lodging would not estimate how many card numbers might have been taken. Krebs on Security, the cybersecurity blog that first reported the breach on Friday, said thousands of accounts had been compromised.
The latest data breach comes after the FBI warned retailers last month to prepare for more cyber attacks after discovering about 20 hacking cases in the past year involving the same kind of malicious software used against Target Corp over the holiday shopping season.
The incident involving Target, the No. 3 U.S. retailer, was one of the biggest retail cyber attacks in history.
In a confidential, three-page report to retail companies the FBI described the risks posed by “memory-parsing” malware that infects point-of-sale (POS) systems, which include cash registers and credit-card swiping machines in checkout aisles.
Restaurants and lounges affected by the White Lodging breach were at hotels in Chicago; Austin, Texas; Richmond, Virginia; Plantation, Florida; Denver, Boulder and Broomfield, Colorado; Louisville, Kentucky; Erie, Pennsylvania; and Indianapolis and Merrillville, Indiana, the company said.
White Lodging, which manages 169 hotels that include brands of Marriott International, Starwood Hotels and Resorts and InterContinental Hotels Group, said it planned to offer affected consumers one year of identity protection services.
The company, based in Merrillville, Indiana, said it notified federal authorities of the suspected breach and had begun a review of other properties it manages.
A spokeswoman for White Lodging declined to comment beyond the company’s statement.
Marriott said one of its franchise management companies had “unusual fraud patterns” with payment systems, according to a statement from spokesman Jeff Flaherty. He added that Marriott was working with the company in the probe.
“Because the suspected breach did not impact any systems that Marriott owns or controls, we do not have additional information to provide,” Flaherty added.
TARGET ACCELERATES CHIP-ENABLED SMART CARD PROGRAM
WASHINGTON (Reuters) – Target Corp, which suffered a massive data breach during the holiday shopping season, is speeding up a $100 million program to implement the use of chip-enabled smart cards to protect against cyber theft, a senior company executive said.
In an opinion piece on Monday in the Hill newspaper on the eve of his much-awaited appearance before the Senate Judiciary Committee, Chief Financial Officer John Mulligan said the retailer’s goal was to have the technology in place by early 2015, more than six months ahead of schedule.
The adoption of such chip-enabled cards would be “one step American businesses could now take that would dramatically improve the security of all credit and debit cards,” Mulligan wrote.
He said the United States had been slow to develop the technology, which was already in wide use in other parts of the world.
The enhanced smart cards contain tiny microprocessor chips that encrypt personal data shared with sales terminals used by merchants. Stolen smart card numbers would be useless without the chip, Mulligan said.
He noted that Target, the No. 3 U.S. retailer, had been working for years to adopt the technology.
“Since the breach, we are accelerating our own $100 million investment to put chip-enabled technology in place. Our goal: implement this technology in our stores and on our proprietary REDcards by early 2015, more than six months ahead of our previous plan.”
Mulligan said requiring the use of four-digit personal identification numbers to complete sales transactions would provide additional safety.
“To be frank, there is no consensus across the business community on the use of PINs in conjunction with chip-enabled cards,” Mulligan wrote. “But Target supports the goal and will work toward adoption of the practice in our own stores and more widely.”
In the cyber theft that hit Target, some 40 million credit and debit card records were stolen, along with 70 million other records with customer information such as addresses and telephone numbers.
Luxury retailer Neiman Marcus has also disclosed a data breach that compromised data from about 1.1 million cards. Michaels Stores Inc, the biggest U.S. arts and crafts retailer, said it was investigating a possible security breach on its payment card network
“The data breach that struck our company spotlighted the sophistication of criminal hacker networks operating across the globe,” Mulligan wrote. “We know the attack created significant concerns for millions of customers. We will learn from this incident and we will work to make Target, and the wider business community, more secure in the future.”