Global

U.S. firms lax with data security, Illinois official tells Congress


    By Alina Selyukh

    WASHINGTON (Reuters) - U.S. companies that have fallen prey to hackers, exposing the private information of millions of customers, have often failed to take basic Security (SECURITY.8)precautions to protect client data, Illinois Attorney General Lisa Madigan told a House of Representatives committee hearing on Wednesday.

    Madigan said previous investigations, conducted before the recent spate of high-profile breaches, had turned up repeated instances where companies allowed their systems to retain unencrypted data, failed to install software patches for known vulnerabilities and kept information longer than necessary.

    Madigan said her office and that of Connecticut Attorney General George Jepsen are now leading a multistate investigation into recent data breaches that affected millions of customers of U.S. retailers Target Corp, Neiman Marcus Group LLC, and Michaels Stores Inc.

    "During prior breach investigations, we have found instances when companies failed to take basic steps to protect consumer data," Madigan told the House Energy and Commerce Committee panel. "So the notion that companies are already doing everything they can to prevent breaches is false."

    Companies have offered reasons for not deploying more secure technology that ranged from high costs to length of check-out times to disputes between banks and retailers, Madigan said.

    "Frankly, it is negligent of the U.S. to fall behind the rest of the world when it comes to security of our payment systems," she said.

    Top executives of Target and Neiman Marcus spoke to lawmakers for a second straight day, and said hackers had found ways to penetrate their best security practices.

    In the Target breach over the holiday shopping period, about 40 million credit and debit card records were stolen, along with 70 million other records with personal customer information such as telephone numbers. Neiman Marcus said a maximum of 1.1 million accounts were exposed to malware during the breach of its computers last year.

    "At Neiman Marcus, we felt and feel very good about the high standards of security that we had in place," Michael Kingston, the company's chief information officer, said on Wednesday, adding: "Obviously, there will be lessons learned."

    MODERNIZING SECURITY

    The companies, lawmakers and consumer advocates have suggested an accelerated move to a new type of payment cards known as "chip-and-PIN," which store information on computer chips and require users to type in personal identification numbers to make breaches less likely.

    Chip-and-PIN technology is already used widely in Europe and Asia, but not in the United States so far.

    Target announced this week it was speeding up a planned $100 million program for chip-enabled smart cards. But security experts and IT service providers say programs like Target's are a drop in the bucket as retailers try to defend against increasingly sophisticated cyber attacks.

    Secret Service agent William Noonan told Wednesday's hearing that the data breaches at Target and Neiman Marcus were separate, distinct attacks using different "criminal tools" but the investigation had not yet revealed whether they were carried out by different hackers.

    "As good as security factors are, these criminal organizations are looking for ways to go around whatever security (restrictions) have been set up," Noonan said. "These were very sophisticated, coordinated events and it was not necessarily a singular actor."

    The Secret Service is the lead agency investigating the recent breaches.

    Some U.S. lawmakers are again taking up an effort to pass legislation to regulate data breach responses after similar pushes gained little traction in the past.

    (Writing by Jim Loney, editing by Ros Krasny and David Gregorio)