Target to 'make significant changes' after data breach, CEO says

Target payment
A customer prepares to sign a credit card slip at a Target store in Miami, Fla.
Joe Raedle/Getty Images

The chief executive of Minneapolis-based Target is pledging to "make significant changes" in the wake of a pre-Christmas security breach.

Target says hackers made off with the names, phone numbers, email and mailing addresses of 70 million shoppers and as many as 40 million customers may have had credit and debit cards numbers stolen.

"We're going to have to learn from this. And we can't speculate on what we don't know. But we believe, we know in our heart of hearts, our environment is safe and secure," CEO Gregg Steinhafel said. "And everything that we've learned as it relates to guest data we've disclosed, and we don't believe that there, and there isn't any other evidence that speaks contrary to that."

The company is "accountable" and "responsible" for the thefts, Steinhafel, added.

Create a More Connected Minnesota

MPR News is your trusted resource for the news you need. With your support, MPR News brings accessible, courageous journalism and authentic conversation to everyone - free of paywalls and barriers. Your gift makes a difference.

From the CNBC interview:

"My heart sunk," Steinhafel reflected, describing his initial reaction to word of the attack, which had hit Target at the worst time with the busy holiday shopping season in full-swing and Christmas just 10 days away.

"It's hard for me to describe the feeling that came over me," he revealed in a CNBC interview--his first since Target acknowledged the attack--four days after Steinhafel was initially informed.

Also Monday morning, Steinhafel posted a letter to Target customers on the company's website in which he outlined specific steps Target was taking after the data theft:

Please know we moved as swiftly as we could to address the problem once it became known, and that we are actively taking steps to respond to your concerns and guard against something like this happening again. Specifically, we have:

1. Closed the access point that the criminals used and removed the malware they left behind.

2. Hired a team of data security experts to investigate how this happened. That effort is ongoing and we are working closely with law enforcement.

3. Communicated that our guests will have zero liability for any fraudulent charges arising from the breach.

4. Offered one year of free credit monitoring and identity theft protection to all Target guests so you can have peace of mind.

Target says it has picked ProtectMyID, a service from Experian, to provide the credit monitoring to its customers. It is opening enrollment for the service today. The credit report does not include a credit score, although that is available for an additional fee.

Target also the service will be free for a year, and that customers have until April 23rd to request an activation code for the service. Customers will have to provide their name, address, date of birth and Social Security number to the credit agency to enroll.

Customers have to request an activation on the Target website. The company says it will reply with an email within five days, and recipients will have until April 30 of this year to enroll.

Steinhafel said on CNBC that customers who hold Target's Red Cards have seen very little fraud, and none involving the retailer's own credit card.

"We have three credit card products in our Red Card portfolio. We have a debit card and a proprietary credit card and we have seen zero activity on those cards. Not a single person used that information. Not a single person that we are aware of. Not a single person," he said. "We have some very low activity on our legacy Target Visa card. That's the only place we've seen anything to this point.

In related news, luxury retailer Neiman Marcus says thieves stole some of its customers' payment card information and made unauthorized charges over the holiday season.

Neiman Marcus's spokeswoman Ginger Reeder said in an email that its credit card processor notified the retailer in mid-December about potentially unauthorized payment card activity. On Jan. 1, a forensics firm confirmed evidence that the upscale retailer was a victim of a criminal cyber-security intrusion and that some customers' cards were possibly compromised as a result.

---

The Associated Press contributed to this report.