According to testimony submitted to the Senate Judiciary Committee Tuesday, Target’s data breach wasn’t entirely over until December 18th—three days after it previously said all of the malware was removed—and it’s now expediting a “smart card technology” system to reduce future security threats.
The Minneapolis-based retailer’s chief financial officer, John Mulligan, said the malware that penetrated the company’s system still existed on about 25 registers for three days after Target said it had been removed from all of its stores.
The affected machines were disconnected from the company’s system when it completed its initial malware removal, according to the testimony, which is why they remained compromised. Mulligan said fewer than 150 credit card accounts were affected, adding on to the 40 million that were hacked between November 27 and December 15.
Mulligan’s testimony adds to a trend of Target gradually acknowledging over the past several weeks that the scope of the issue was larger than the company initially thought.
Target first publicly confirmed the data breach on December 19, when it announced that 40 million customers had their names and credit or debit card information stolen. On December 27, Target admitted that personal identification numbers from credit cards were also exposed. Then, on January 10, the company said that 70 million customers’ mailing addresses, phone numbers, or email addresses were also uncovered.
Investigators discovered last week that the hackers used stolen credentials from a vendor to access Target’s system.
“The malware was designed to capture payment card data from the magnetic strip of credit and debit cards prior to encryption within our system, ” Mulligan said in his testimony.
Minnesota Senators Amy Klobuchar and Al Franken were on the Senate Judicial Committee panel questioning Mulligan. According to the Star Tribune
, Klobuchar and Franken were expected to ask about technology improvements that could stop future hacks and about steps that consumers could take to ensure their information is protected.
In addition to admitting that the breach continued longer than Target originally stated, Mulligan also announced that the company is accelerating the implementation of “smart card technology,” which he said is designed to reduce the threat of credit and debit card fraud for shoppers in its stores.
The company said the technology contains a tiny microprocessor chip that encrypts the transaction data shared with sales terminals used by merchants, which it claims prevents thieves from counterfeiting the card. Target said that through a $100 million effort it will implement this smart card technology in all of its stores by the first quarter of 2015.
According to the Wall Street Journal
, Target began testing the chip-based payment card method in 2001 but stopped the testing after three years because the cards slowed down checkout times.