News

Experts say retailers aren’t taking basic cyber security precautions

Experts say retailers aren’t taking basic cyber security precautions

TARGETED: Top executives of Target and Neiman Marcus, which suffered major data breaches last year that exposed private information of millions of customers, testified in Congress for a second straight day, saying the attacks were so sophisticated that they evaded their best security practices Photo: Associated Press

By Alina Selyukh

WASHINGTON (Reuters) – The Illinois official who is leading a multi-state probe into recent high-profile data breaches told U.S. lawmakers on Wednesday that companies whose systems have been hacked often have failed to take basic security precautions.

Lisa Madigan, the Illinois attorney general, spoke at a congressional hearing as lawmakers review whether retailers Target Corp and Neiman Marcus Group LLC properly protected their customers’ information.

Top executives of Target and Neiman Marcus, which suffered major data breaches last year that exposed private information of millions of customers, testified in Congress for a second straight day, saying the attacks were so sophisticated that they evaded their best security practices.

Madigan warned, however, that past investigations of other data breaches turned up repeated instances in which companies allowed their systems to retain unencrypted data, failed to install software patches for known vulnerabilities and kept information longer than necessary.

“During prior breach investigations, we have found instances when companies failed to take basic steps to protect consumer data,” Madigan told a House Energy and Commerce Committee panel. “So the notion that companies are already doing everything they can to prevent breaches is false.”

The companies and federal investigators are still trying to figure out how hackers stole the data. Experts testified that the malware used in the massive thefts was so complex and customized that common network security systems could not detect it.

“I didn’t hear a smoking gun,” Representative Lee Terry, a Republican from Nebraska, told reporters after the hearing held by his commerce subcommittee. “But like (the retailers) said, their audits aren’t complete. We knew that coming in here and we’ll continue to have dialogue.”

“It looked like it was a process failure,” he said.

Target, the third-largest U.S. retailer, has said the theft of a vendor’s credentials helped cyber criminals steal about 40 million credit and debit card records and 70 million other records with customer information such as addresses and telephone numbers.

Luxury retailer Neiman Marcus has said a maximum of 1.1 million accounts were exposed to malware during the breach of its computers last year.

“At Neiman Marcus, we felt and feel very good about the high standards of security that we had in place,” Neiman’s chief information officer, Michael Kingston, said on Wednesday. “Obviously, there will be lessons learned,” he added

SOPHISTICATED CRIMINALS

Target announced this week it was speeding up a planned $100 million program for a new type of payment card known as “chip-and-PIN,” which stores information on computer chips and requires users to type in personal identification numbers to make fraudulent use less likely.

But security experts and IT service providers say moves like Target’s are a drop in the bucket as retailers defend against increasingly complex cyber attacks.

“As good as security factors are, these criminal organizations are looking for ways to go around whatever security (restrictions) have been set up,” Secret Service agent William Noonan told Wednesday’s hearing.

Noonan said the data breaches at Target and Neiman Marcus were separate, distinct attacks using different “criminal tools,” but the investigation had not yet revealed whether they were carried out by the same group of hackers.

“These were very sophisticated, coordinated events and it was not necessarily a singular actor,” he said. “When you bring together a coordinated group of sophisticated criminals, they will find” ways around defenses.

The Secret Service is the lead agency investigating the recent breaches.

NEXT STEPS

The companies, lawmakers and consumer advocates have suggested an accelerated move to chip-enabled cards, which are already used widely in Europe and Asia.

They have been met with much less enthusiasm in the United States, in part because losses to fraud – 5 cents for every $100 spent via plastic – have been manageable for merchants and their banks.

“Frankly, it is negligent of the United States to fall behind the rest of the world when it comes to security of our payment systems,” Madigan told lawmakers.

Federal Trade Commission Chairwoman Edith Ramirez asked lawmakers to give the FTC, which investigates and enforces companies’ privacy standards, civil penalty authority, jurisdiction over nonprofits and authority to set new rules “to enable us to deal with evolving risks and harms.”

The high-profile breaches have revived efforts in Congress to pass legislation to regulate data breach responses, including potentially setting a federal standard for how and when companies have to notify consumers about a breach.

Currently, notification rules are set through a patchwork of state laws, and questions about federal rules pre-empting states’ authority helped stall previous attempts to pass new data security bills in Congress.

(Writing by Jim Loney; Editing by Leslie Adler)

Latest Stories

in Music

CHART TOPPERS: This week’s top pop songs

magic

LISTEN: This week's top pop songs, according to the latest Billboard chart.

in Entertainment

WATCH: 10 best ‘Simpsons’ episodes

In this photo released by Fox, Homer explains why he wants to bring back the annual 4th of July fireworks display, after it's cancelled for budget reasons, in the "Yellow Badge of Cowardge" Season Finale episode of "The Simpsons," in May 2014. The full 25-year run of "The Simpsons" will arrive on cable channel FXX with a summer marathon, to be paired this fall with a digital extravaganza that could turn other TV shows yellow with envy. "I'm not going to over-promise, but I think this website will provide you with affordable health care," longtime "Simpsons" executive producer Al Jean told a TV critics' meeting Monday, July 21, 2014.

The recent marathon of all 552 episodes of "The Simpsons" inspired us to sit down and come up with our 10 favorite episodes. Enjoy!

in Music

Miley Cyrus pays homeless friend’s legal fees

Miley Cyrus arrives at the MTV Video Music Awards at The Forum on Sunday, Aug. 24, 2014, in Inglewood, Calif.

Miley Cyrus has offered to pay the legal fees for a homeless young man she took to the MTV Video Music Awards on Sunday.

in Entertainment

Lena Dunham and Kate Mara hit by a falling sign

Lena Dunham, of HBO's "Girls," arrives at the 66th Primetime Emmy Awards held at The Nokia Theatre  in Los Angeles.

The "Girls" and "House of Cards" actresses saw stars of their own after an accident at a Venice premiere.

in Entertainment

Charges dropped against Phillip Seymour Hoffman’s suspected drug dealer

In this Jan. 19, 2014 photo, Philip Seymour Hoffman poses for a portrait at The GenArt Quaker Good Energy Lodge during the Sundance Film Festival, in Park City, Utah. Hoffman, who won the Oscar for best actor in 2006 for his portrayal of writer Truman Capote in "Capote," was found dead Sunday, Feb. 2, 2014, in his New York apartment. He was 46.

Drug-selling charges against a friend of late film star Philip Seymour Hoffman have been dropped after officers neglected to read the suspect his Miranda rights.