The Target data breach reached further than originally disclosed, but not by much.
The criminals who stole credit and debit card numbers also made off with data from 24,000 payment cards used by welfare and food stamp recipients. A Target official on Tuesday also revealed that 25 cash registers continued to cough up payment card data for a few days after the retailer thought the system had been secured, though only 150 customers were affected.
The company continued to apologize for the massive data theft as it called again for a collective industry effort to protect customer data from digital thieves.
"This is an evolving threat and we think one of the keys going forward is shared responsibility," Target chief financial officer John Mulligan told the U.S. Senate Judiciary Committee, which is considering legislation to help combat the theft of consumer data.
In prepared remarks, Mulligan disclosed that Target missed 25 cash registers when it initially moved to eradicate malware from its stores on Dec. 15. Mulligan said the machines had been disconnected from Target's computer systems during the first sweep and the malicious code wasn't removed until Dec. 18. That was the day before Target revealed criminals had stolen account numbers for 40 million payment cards.
Mulligan noted that Target tried about a decade ago to get retailers and banks to adopt so-called smart cards that contain computer chips. The cards are harder to compromise than traditional cards. But Target, he added, was going it alone.
"Without broad adoption there aren't significant benefits for consumers," he said. "We've been advocates of this and all of us need to move together simultaneously."
Target is trying again. The chain is preparing both stores and customers to be ready for smart cards next year, as the retail and banking industries move toward adoption of smart cards, Mulligan said.
Mulligan took umbrage at any suggestion Target was an easy mark for hackers.
"Over the past several years, we have invested hundreds of millions of dollars in several areas, in technology to prevent data loss," he said. "This includes malware detection, intruder detection and prevention, data loss prevention tools, multiple layers of firewalls."
Many observers expected Mulligan to come in for a grilling. But Target got more sympathy than criticism from Judiciary committee members, including Minnesota DFL Sen. Al Franken, who chairs a subcommittee on privacy and technology.
"Credit and debit cards just aren't secure enough," Franken said. "We have no federal standard for data security and breach notification. We have to update our card technology and laws to address these 21st century threats to our data security. We really can't afford not to."
Representatives of Target, Nieman Marcus, and security and government agencies said data breaches can't be eliminated. But they agreed there's a lot that can be done to make a crook's job harder. That includes everything from adopting smart card technology to basics like strong passwords and encryption.
Minnesota officials say they're keeping watch on potential problems with the electronic benefit transfer cards used by welfare recipients, but they note the cards can only be used at certain ATMs, along with point-of-sale terminals in stores - and there's no personal information on the cards' magnetic stripes.
"We have not heard from any client that they were affected by the data breach," said Erin Sullivan Sutton, the department's assistant commissioner for children and families. "We will monitor the issue very closely...but we have not heard of any issue at this point."
The congressional review of data security continues Wednesday with a House committee hearing on the subject.