Target CEO Gregg Steinhafel confirmed in a CNBC interview on Monday that malware introduced on point-of-sale devices is what enabled thieves to steal 40 million cards, CVV numbers and encrypted PIN codes, as well as personally identifiable information (PII) on 70 million shoppers, in a roughly three-week-long data breach.
“We don't know the full extent of what transpired, but what we do know was there was malware installed on our point-of-sale registers,” Steinhafel said. “We removed that malware so that we could provide a safe and secure shopping environment.”
Target has taken other actions to protect its customers too, Steinhafel said, such as taking down 13 phishing sites that were preying on confused shoppers.
The retail giant also made good on its promise to offer free credit monitoring and identity theft protection when, on Monday, impacted individuals were given the green light to begin the enrollment process for those services.
Steinhafel said he first learned that a data breach incident had transpired on Dec. 15, 2013, which was a day spent eliminating the malware and ensuring people were safe to shop in all Target locations the following day.
Officials initiated an investigation and began forensic work on Dec. 16, 2013, Steinhafel said, explaining the following day was spent setting up the call center and preparing store employees for customer queries. Target then prepared to notify the public and announced the breach on Dec. 19, 2013.
“We have seen almost no fraudulent activity on our Target REDcard,” Steinhafel said, explaining Target will offer zero liability to customers by paying for any fraudulent charges on cards as a result of the breach. “We have some very low-level activity on the legacy Target Visa card. That's the only place that we've seen anything to this point.”
Looking forward, Steinhafel said that he would like to see Target take a lead role in shifting the U.S. from cards that use vulnerable magnetic strips to cards that contain encrypted chips and follow the EMV global standard for chip cards.
However, it is already an initiative that began gaining momentum in 2011 and is expected to really take off in October 2015, according to Randy Vanderhoof, executive director with the Smart Card Alliance.
Vanderhoof told SCMagazine.com on Monday that chip cards offer a bigger safety benefit because financial information is encrypted on the chip and can only be read when swiped through a card reader, which creates a unique one-time key only for that single transaction.