Target Corp., scheduled to testify tomorrow about a data breach affecting millions of customers, plans to tell lawmakers it had clues about the attack weeks before responding and is exploring why it took so long to react.
After intruders entered Target's systems on Nov. 12, some of their activities were detected and evaluated by security professionals, according to prepared remarks from Chief Financial Officer John Mulligan that were reviewed by Bloomberg. That was a month before the company was alerted to suspicious activity by the U.S. Justice Department, leading to an internal investigation that confirmed a breach on Dec. 15.
"We are asking hard questions about whether we could have taken different actions before the breach was discovered," Mulligan said in remarks to be made before a U.S. Senate panel. "In particular, we are focused on what information we had that could have alerted us to the breach earlier; whether we had the right personnel in the right positions; and ensuring that decisions related to operational and security matters were sound."
Molly Snyder, a spokeswoman for Minneapolis-based Target, didn't immediately respond to a request for comment.
The testimony follows a report by Bloomberg Businessweek that found Target ignored warnings from its hacker-detection tools, leading to a breach that compromised 40 million credit card numbers -- along with 70 million addresses, phone numbers and other pieces of personal information.
"We are still investigating how the intruders were able to move through the system using higher-level credentials to ultimately place malware on Target's point-of-sale registers," Mulligan said. "The malware appears to have been designed to capture payment card data from the magnetic strip of credit and debit cards prior to encryption within our system."
After the attack became public in December, during the height of the holiday shopping season, it harmed Target's reputation and fourth-quarter sales. The company's U.S. comparable-store sales decreased 2.5 percent in the period. Target spent $61 million responding to the situation last quarter, including costs to investigate the incident and offer identity-theft services to customers. Insurance covered $44 million of the tab, leaving the company with an expense of $17 million in the period.