Skip to main content

tv   Key Capitol Hill Hearings  CSPAN  February 5, 2014 9:00pm-11:01pm EST

9:00 pm
borders of the united states. >> well, i would hope since everybody agreed that this is a problem and that the federal government should legislate, we can come up with the best practices set of recommendations, present to the committee and then let us massage it only the way we can. and we will try to move on something hopefully in this congress. and with that, i'm going to yield 34 seconds to the chair. >> thank you very much, mr. barton. the chair recognizes the dean of the congress, mr. dingell of michigan. >> mr. chairman you are most courteous and i commend you for holding this important hearing. i think we can all agree that the breaches were tragic. we had a duty to protect the american consumers from events like this in the future. this committee and the house
quote
9:01 pm
must act to pass data security and breach notification legislation. the administration has proposed similar legislation. congress must act again and we must ensure that such legislation makes its way to the president's desk for signature. to that end, i'm most interested to hear any opinions of the f.t.c. and what they may wish to share to us. all my questions this morning will be addressed to chairman ramirez. now, chairman, in your written testimony, indicates that the commission enforces a variety of statutes such as gram-leach bliley and privacy protection act. do any of these acts require an f.t.c. entity whose collection of personal identification has been breached to notify customers?
9:02 pm
yes or no? >> no. >> that is needed, i assume? >> yes. absolutely. >> now madam chairman, do any of these acts require notification of the federal trade commission or law enforcement in general of such a breach, yes or no? >> no. madam chairman, should the congress enact a federal data security and breach notification law, yes or no? >> yes. >> madam chairman, under such laws, should f.t.c.covered entities be exempted from breach notification requirements if they are already in compliance with glba and coppa? yes or no? >> no. >> madam chairman, should such a
9:03 pm
law be administered by one federal agency or some kind of a collage of agencies? >> one agency. >> now, i happen to think that should be the federal trade commission because of its long expertise in these matters, do you agree? >> i would agree. >> madam chairman, should the federal data security breach and notification law prescribe requirements for data security practices according to the reasonableness standard already employed at the commission, yes or no? >> yes. madam chairman, should that be expanded? should that be expanded? >> yes, i think there should be a robust federal standard. >> i will ask you to contribute for the record information on that view, if you please. i ask unanimous consent that that be inserted at the appropriate time. >> without objection.
9:04 pm
>> thank you, mr. chairman. now madam chairman, should such a law address notification methods, content requirement and timeliness requirements, yes or no? >> yes. >> wouldn't work very well without it, would it? >> that's right. >> madam chairman, in the event of a data breach should comprehensive strategy and breach notification law require companies to provide free credit monitoring services to the effected consumers for a time concern, yes or no? >> yes, with limited exceptions. >> do you have authority to do that now? >> no. >> do you need it? >> i think it would be appropriate to have the requirement with limited exceptions. >> madam chairman, i note -- let's ask this question, should violation of such law be treated as a violation of a federal
9:05 pm
trade commission rule promulgated under the federal trade commission act, yes or no? >> yes. >> madam chairman, would you please submit some additional comments on that point for the record. >> absolutely. >> now madam chairman, should such a law be enforceable by states attorney general? >> yes. >> madam chairman should such law preempt state day data breach and security laws? >> if the standards are robust enough. >> would you submit some additional information on that point, please. >> yes. >> madam chairman given advances in criminal ingenuity which seems to be moving at the speed of light, should any statutory definition of the term personal information included in a comprehensive federal data security and breach notification
9:06 pm
law be sufficiently broad so as to protect consumers best, yes or no? >> yes. >> thank you, madam chairman. mr. chairman, i want to thank you for your kindness to me this morning. i urge the committee to work with the federal trade commission to draft and pass comprehensive data security and breach notification legislation. i believe this should be done in a bipartisan fashion and i think that the democrats and the republicans can work together for this purpose. meanwhile, i would note such legislation is not a panacea for data theft and will ensure to reduce it and better protect consumers. i thank you, mr. chairman, for your courtesy to me, and i appreciate the holding of this hearing. madam chairman, thank you for your courtesy. >> well done, and actually entertaining. mrs. blackburn you are
9:07 pm
recognized for five minutes. >> thank you, mr. chairman, i appreciate that. thank you all again, i think i want to start with you for a minute. you said in your testimony, never has the need for legislation been greater. and -- so taking that statement, it could mean companies who suffered the breaches did not use reasonable measures to protect consumer data. so if that is your statement then, is the f.t.c. involved in the forensic investigation regarding the target, adobe, the hotel chains, all of these breaches? >> i'm afraid i can't discuss any particular companies or discuss whether the f.t.c. is involved in any particular investigation but let me explain what i meant by that statement. i meant it as a general statement we flecting what we
9:08 pm
are seeing in the marketplace and that is that companies continue to make very basic mistakes when it comes to data security and our role at the f.t.c. is to protect consumers and ensure that companies take reasonable measures to protect consumer information. >> let me stop you right there. so you're saying that not due to this group, but because of general -- so you are basically reworking your testimony. it's not that these specific breaches shows that there has never been a greater need. you may want to submit a little bit of clarification there. >> right now. >> i want to move on, three minutes and 14 seconds and five pages of questions. i would like for you to submit to us what is the reasonable standard.
9:09 pm
you have referenced this several different times but i have not seen a reasonableness standard in writing. so what are you referencing? >> we take a process-based approach to this question. technology is changing rapidly. the threats that companies face are evolving very rapidly and the appropriate way to proceed is to focus on whether companies are looking very closely at the threats to which their businesses are exposed and whether they are setting reasonable security programs. if i may, it's a very fact-specific inquiry. >> i can appreciate that but i think to use that term repeatedly, what we need to know is what your definition of reasonableness would be. you know, we hear the chairman
9:10 pm
say well you're not doing this, you're not doing that. how quickly do the cyber criminals' methods evolve? you have looked at this for a long time and you send out updates daily, weekly, monthly, how quickly is the evolution of this process? >> the evolution is incredibly fast and we are learning with each incident the complexity. they are moving quickly to very sophisticated -- and we are in a chase to keep up with them. >> another thing, you testified that in a number of 50 data security cases settled by the f.t.c. the companies failed to employ available cost effective security measures to minimize or to reduce the data risk. so i want you to give us some examples of the kind of measures that the companies failed to
9:11 pm
use, because you hear how quickly this evolution is taking place. and the need for flexibility and nimbleness and then we hear you saying, you have to have a standard and got to do this. and we have taken these efforts in the 50 cases we have settled. for those of us looking at what legislation would look like, we have to realize that it's got to be nimble, you are saying you want something but you are not giving us specifics or examples of what you think people have failed to do. so i hope you're understanding, we have a little bit of a gap here. go ahead. >> so let me just say that i think the approach that the f.t.c. recommends for legislation is one of reasonableness.
9:12 pm
we think that's an appropriately flexible standard that will allow for nimble action and to give you an example. in our experience, companies continue to make simple mistakes when it comes to data security. we have data that corroborates that and that is the verizon data breach report that was referenced in opening remarks. just to give you a few examples, this can scan low-tech and high-tech mistakes, failures to use passwords or encrypt personal information, the failure to update security patches. these very basic mistakes that we encounter. >> so it is the consumer and not company failures? >> i'm referring to company failures. >> thank you. i yield back. >> thank you and now recognize
9:13 pm
the gentleman from vermont for his five minutes. >> thank you, mr. chairman. the technology that we use is not the best, is that correct, chairman ramirez? as i understand, chip and pen technology is what is now being used in europe and it has better success in preventing fraud, is that right? >> we don't recommend any particular technology. it ought to be technology neutral. we certainly would support any steps that are taken at the payment card system and to protect or better protect consumer information. >> are we still using 1970's-era magnetic strip technology? is that your understanding? >> yes, that is accurate. and so that puts us behind virtually every other country in the world in terms of the security of our payment systems. >> there is an ability on the
9:14 pm
part of the card issuers to upgrade the card technology to meet basically standards that are being employed in europe, is that correct? >> that is correct. and when you look at the amount of fraud losses that these other countries where the chip and pin technology is used, you can see their levels of fraud have decreased significantly around 50%. so chip and pen technology won't completely eliminate fraud and breaches, but it could curb the amount that we currently see. >> and what i see visa and mastercard have announced a roadmap to chip and pin cards. do you think it would be a problem if they decided to abandon the pin? >> people can change their pins as they change pass words. >> you have front line
9:15 pm
responsibility to try to maintain the integrity of this system and it is important to our merchants, to our banks and to our consumers. >> would you pull the microphone closely. >> the secret service doesn't have a metric to measure chip and pin in the united states. but however the secret service supports any technology that would assist in the security of that particular data. >> is your understanding the same as the general that technology -- the chip and pin technology deployed in europe has been much more successful in reducing fraud? >> it could give another level of security which makes it difficult for the criminals to get at that data. i'm not saying it's the solution, there is not a 100% solution, technological solution. >> but what it is, it's a better technology from the 1970's era magnetic swipe card?
9:16 pm
>> it's a 30-year technology, sir. >> how but? >> i agree with the other panelists, but there are other challenges as well. people using their phones for payment. you are using your computer and laptop, so having that extra security on the cards itself would be helpful but we have to look at other things as well. >> back to you chairwoman ramirez, it would be good to have a standard but we can't pick winners and losers on technology, so what would be a concrete step that congress could take that would be practical and effective in improving the status quo? >> number one, congress taking action alone would be a very important statement. but what we advocate is reasonableness standard being employed along the lines of what
9:17 pm
the f.t.c. has in place with the safeguards rule and i would be happy to work with the committee on these issues and my staff is available to do that. >> we can as a legislative body prosecute prescribe what the technology is, the industry has to figure that out. but on the other hand, you need flexibility if steps are taken or not taken that could be that would enhance security for consumers and merchants. >> flexibility is important and that is one of the reasons requesting that the f.t.c. has rulemaking authority that would allow the agency to take into account evolution in changes when it comes to technology. >> would this be helpful in the privacy breaches as well? these are monetary value but ending up with personal information, things that can be used in identity theft. the better security, would it
9:18 pm
not only help with the economic loss but the identity theft? i'll ask you. >> absolutely. what we see is when people's personal information is taken and frequently used to commit identity theft, but it can be used, not just financial identity theft but many other types of identity theft. >> i see my time is up. this is a great panel. thank you for assembling it. >> thank you and i recognize mr. lance, the vice chair. >> thank you, mr. chairman. recent wall street "wall street journal" reported that the software virus couldn't be detected by any known anti-virus software, is that accurate? >> it is.
9:19 pm
>> and could you elaborate on that. >> most of our detection systems use significance in a turs, so they are known problems and there is a technical formula we put into a machine that says hey, you told me to look for this and there are intrusion systems that prevent that malicious event getting to the end point. looks like the criminals modified from what is a standard attack at point of sale in such a way that it was undetectable. >> you stated that the secret service has observed a marked increase in the quality, quantity cyber crimes targeting industry and critical infrastructure. can you give us some examples of how these criminals and their tactics have evolved and i presume these criminals are not necessarily residents or citizens of the united states. >> yes, sir. we are talking about a network of transnational cybercriminals. you know, over time, we could look back at data breaches at t.j. max x and dave and busters and during that time they were
9:20 pm
attacking encrypted data, which is credit card payments. that got changed, in 2007, the focus instead of going to credit card processing companies, looking at ways to get at the same type of data but looking at it when it was unencrypted. encrypted modification has been made through that system and information is encrypted. today we have seen the change now, they are looking at where the fence is and how to get around that fence. where they are attacking now is at the point of sale piece. from the point of sale terminal
9:21 pm
to the back of the house server, that piece of string has not been encrypted. >> madam chairwoman, you answered representative dingell's questions regarding preemption. i didn't understand your answers, my fault. would you explain in a little more detail your views on preemption and i certainly in a robust democracy with protections both here in washington and at state capitals and if you could just elaborate briefly on the preemption issue. >> yes, i believe that preemption is appropriate but provided that the standard that is set is sufficiently strong
9:22 pm
and also provided that the states have concurrent ability to enforce. >> concurrent ability. so this would not mean that the states would not have a significant responsibility in this very complicated and difficult issue. >> the states do tremendous work in this issue and vital to have them enforce the law. >> attorney general, it's a pleasure to meet you, although i do not know you, the "new yorker" magazine comes into our house all the time and your husband, brilliant cartoonist. >> in terms of preemption, i would concur with what the chair woman has said as long as the federal legislation has strong enough standards and states retain the ability to enforce as we do in a number of areas already. we understand that it is potentially reasonable to say ok, we are going to preempt you in a certain manner. in fact, back in 2005, congress
9:23 pm
received a letter from the national association of attorneys general requesting notification laws be put in place at the national level and so as long as we still retain the ability to respond to our consumers and this is looked at in some ways potentially as a floor and not a ceiling, we understand your role. >> thank you very much. let me say, mr. chairman, i believe that this committee will in a bipartisan capacity work on this issue, work to conclusion and this is the committee in the congress that deals on these important nonpartisan or bipartisan issues and i have every confidence that we will meet the challenge working with the distinguished panel, working with the next panel and i look forward to being involved to the greatest extent possible. thank you, mr. chairman. >> thank you, i recognize the gentleman from kentucky, mr. guthrie, for five minutes. >> thank you, mr. chairman. i have a business background and
9:24 pm
i know that any time you have an issue with your customers, it takes a long time to build trust back up again and incentive for businesses to protect their data, but at the same time, i worked in a retail store when i was in high school. my grandfather had a grocery store. everybody has to deal with data. right incentives and right things in place to make sure that is protected. i want to talk to agent noonan, criminals' unauthorized access, are they not paying attention? >> no, sir, for law enforcement and for the secret service, result of a proactive approach to our law enforcement and we are gathering information and working with our private sector partners especially in the financial services sector when
9:25 pm
we are receiving data. what can occur, we can see a point of compromise where the retailer might not necessarily see compromised data out in the world. by looking at that data, we can go to that company and advise them that they have a leak. now it doesn't necessarily mean it's that company but it could be their credit card processing company. it could be their bank, a host of other systems that are hooked into the main company. but it's a point for us to go to that potential victim and say look at your data and see if there is a problem. >> who typically notice the breach, law enforcement who may see these transactions or all of a sudden, one day retailer starts getting calls or credit card companies from their customers and saying these are charges that aren't mine and
9:26 pm
find out what's in common with these people. do you find that as it's going through your monitoring or is it people reporting that they had something done to them or both? >> to answer your question, both. >> what is typical? >> i don't think there is a typical. but we work closely with the banking community. as they find those anomalies, obviously, they are getting calls from their consumers. they'll notice an anomaly. and we were out in the -- targeting different criminals and in targeting them, we are able to see different things that are happening in the criminal background and that is another effective tool that we have at our disposal to be proactive.
9:27 pm
sometimes notification but you have to realize in law enforcement under that approach, sometimes we are stopping it from occurring. we might go to a potential victim company to allow them to know they have been come proposal myselfed and in doing so, we stop the company from losing a single dollar. that is a very successful method in which law enforcement is a tool for consumers. they are out there in front looking for that type of behavior. >> i appreciate that effort. and you mentioned the mitigation capabilities were leveraged to coordinate systems to prevent these attacks. >> probably the most important part of what we do, so it's not about finding the fires and putting them out but putting them out to begin with. this is another great example. these companies had a compromise. our responsibility is to assist them and let the broader community to know and see if it's on their systems to take it off and prevent it as well. >> you described a product that contains detailed tech any analysis regarding recent point
9:28 pm
of sale attacks. can you describe what are mitigation recommendations and who develops those? >> we work with a cross section across the nation with the financial services sector and technical managers in the security services and canvass the nation as a whole and put out recommendations. in some cases, simple as changing your passwords. the other panelists were talk binge that. if you use the routine hygiene of cyber space you are in using fire walls, restricting access. some of these things are common sense, some of the things are new. but regardless, we want to get out as much information as we can. >> the place that i buy gas
9:29 pm
often has strips that say if it is rogan, please notify the key people at pay at the pump. one thing i want to point out, country --t note everybody has to be vigilant and nobody is impervious to cyber threats. right? >> that would be correct. >> the gentleman's time is expired. >> i think the chair and welcome the witnesses. combining that information with my career, we are engaged in combat here. it is warfare. in combat, we get the lay of the battlefield. panel, there are
9:30 pm
four separate phases of attacks. access to data, propagation. packageion for the big and excellent trait and. exfiltration. the publictant for sector to focus on the last step. the private sector had the first step. if we get there, we're closing the barn door after the cars -- the cows of gotten out. not an effective way to fight this battle. how can we be part of the public-sector and help with all four phases of an attack? not just exfiltration.
9:31 pm
>> try to focus our efforts, getting at that first phase of the adversaries actions. we do not want to be the responders, we want to be the prevention mechanisms. where we discover challenges are that they have already happened. like to highlight that our industrial control, we are doing in spearman tatian -- experimentation. we work with the private sector very closely to see where the vulnerabilities are. we close those doors as we find them. >> just by having some doubt,
9:32 pm
there are future damages. >> the proactive approach is that we are information sharing. as we see different tactics and trends happening in these intrusions, we are taking that information and sharing it with our partners at the electronic crimes task force and the secret service set up. we are taking that information and pushing it. that means it is being pushed out to the sector. the evidence and sharing what we are finding, we are better protecting the bigger infrastructure, if you will. >> any comments? would saythe things i in terms of the last two
9:33 pm
responses, from our perspective, there is an enormous amount of work that needs to be done to educate the public as to how to protect themselves. so many people have adopted technology so quickly, a are not necessarily putting place -- putting in place to safeguard and monitoring accounts. >> this issue is a complex one that requires a multifaceted solution that includes companies taking appropriate and reasonable measures and consumers also being educated to protect information. and why i believe action is really needed today, these breaches remind us how important this issue is.
9:34 pm
this is truly critically important. i went to law school at the university of texas, never practiced. why did you announce publicly you are investigating target but not neiman marcus? >> we announced both of them. >> thank you. are ready tok we move down this path. we are -- i am glad we are having this hearing. sometimes react in ways that i think are inappropriate to the true challenge. typically, we regulate when there is market failure.
9:35 pm
we don't think private actions can respond to a particular concern or threat. the justification for notification. why is it the case that the consumers can't figure out that if they are not happy with them, that they couldn't migrate some way. >> i do not believe the burden should be placed on consumers. >> if you think it will be stolen, you can buy a home security system. inallow consumers to step and decide if they want to pay $60, 200, or 1000 for their own
9:36 pm
security. >> i think consumers do have a role to play here. when you look back at the data that is available and is out there, it is also consistent with our experience. rise in breach report, an annual report that studies what is happening. companies continue to make fundamental mistakes. they are not taking the reasonable and necessary steps -- >> i appreciate that the report is there. i think we appreciate that. youou have data that tells
9:37 pm
how much people are prepared up pay for protection? do you have an analysis? >> i can tell you that we have $26 million of fraudulent with accounts. of the people we have had to work with, on average, they lost $762 in fraudulent accounts removed. i have not asked them how much they would like to pay. they feel as if they are having to pay the price simply for engaging in everyday activity.
9:38 pm
>> if we head down the path you are proposing that they ultimately won't pay for that, the cost will be borne by consumers? might it not be an idea that we consider that they pay for that directly the vacancy those costs and respond appropriately as --osed to have them remove >> i am not exactly sure the scheme you are trying to propose here. you are correct in the sense that if we are going to update credit card technology to adopt ins, they will pay an increased cost at retailers and fees at their banking institution. consumers will pay and hopefully
9:39 pm
we will be able to improve security. >> do you think there should be private rights of action associated with these rules? >> at this point, we have been able to handle these at the state level. nearly every other country in the world is ahead of us? you don't mean niger. a few inre may be africa. >> i just came back from europe and they think that we are doing pretty good. our system may not be in as dire situation acid then suggest this morning -- as has been suggested this morning. >> thank you, mr. chairman. i want to thank you folks for being here today. i am very concerned about the ofrease and sophistication
9:40 pm
these cyber attacks. and just to get your opinion on it. how does the increasing level of collaboration among cyber criminals that you referenced increase the potential harm to companies and consumers? >> the collaboration, it just increases their capabilities. when we said there is collaboration between these groups, they are loosely affiliated organized criminal groups that are doing this. oceans 11 analogy of of what this group and what the network does. doy have groups that will infiltration to gain access. they have other people that will design malware. it will go and map the different networks to figure out how to get through the networks. there is excellent ration of data that occurs.
9:41 pm
there is monetization. and there is money laundering. bring together a corrugated group of bringticated criminals -- together a group of sophisticated criminals, they get into theay to system. are they stateside or overseas? are lookingnals we at are transnational criminals. >> to what degree do we have the authority to go after those folks? do you know of ongoing actions to shut them down? the secret service has a
9:42 pm
unique history of success in this area. we talk about the t.j. maxx investigation as well as many others. in that investigation, we were successful. gonzalez --our albert gonzalez. in the summer of 2012, we people responsible responsible in the netherlands. we were able to bring to justice alexander in the dave and buster's case. and we were able to pick up three different romanian hackers responsible for the subway intoich shop intrusions thousand eight. we brought them to justice where the main leader was sentenced to 15 years in prison.
9:43 pm
we have a rich history of being able to effectively identify who these targets are, have them arrested, and work with international partners. i think it comes back to the relationships we build internationally bringing these actors to justice. >> the most developed nations that have a high degree of sophistication in their networks , they are vulnerable to these things as well. how robust are our agreements with other nations to go after the criminals that might reside in their countries? with have agreements numerous countries in europe. we have been working , very closely with netherlands.n the
9:44 pm
we have working groups in the ukraine and in office that we established in estonia. it is through those relationships and the laws we are enforcing that we are able to gather some success. you testified that no country industry or community or individual is immune to threat. mean that no one can be impervious to cyber attacks? it is one of those challenges like trying to prevent automobile deaths. you can do a lot of things but people may still pass. ultimately, i think there will be vulnerabilities that are exploited by very sophisticated actors.
9:45 pm
>> thank each of you for being here. know this is obviously an ongoing investigation, but do you have an early indication without revealing anything you should not as to how this might have been prevented? >> i think the important part here is that we know that this is a sophisticated criminal group. different companies, they had a plan. it is something that every company should also think of. they should potentially think when this happens to them. it brought back the information
9:46 pm
-- helping you find and mitigate the problem with law enforcement and share the information with government and the infrastructure to better protect the infrastructure is not necessarily a good plan. we would like to see companies have robust forensic companies assigned to them so that when an intrusion does happen, they can effectively mitigate it so there is no longer any bleeding. counsel isy, important for them to have. those are the important takeaways that we see in this case. >> are you satisfied that the response has been satisfactory? chairman ramirez, if i may ask you a few questions. overlap with the safeguards rule and the pci data security standards?
9:47 pm
and do the standards incorporate provisions of the safeguard rule or do they go beyond the safeguard rule? >> the way the ftc approaches its data security enforcement it is a reasonableness standard. we don't mandate or prescribe any specific standard or technology. of we think that as a matter course, they should look to industry standards and best practices evaluating what they should have in place. every case that we look at affects specific ones so i can't comment on hypotheticals. companies should be looking to industry standards and looking very valuable. it would be one factor that we would examine looking at
9:48 pm
antimatter. -- any matter. did not haveies perfect security. that the company would be found to be compliant. a needed push to keep -- a federal standard enforcement because it is often impossible to find a violation of the standard? >> we will be looking at each situation in a specific way and we certainly understand that there is no perfect solutions. security will not be perfect. we have many more investigations than we do enforcement cases. been brought for the violations safeguards rule?
9:49 pm
has industry compliance improved over time as industry becomes more familiar with it? generally speaking, i am speaking broadly, we continue to see basic failures when it comes to data security. the data we have available suggests companies need to do more in this area. at this time, we recognize the gentleman from florida for five minutes. >> i appreciate it very much. this is for the entire panel. data often moves without respect the borders, as you know. stronger law enforcement efforts worldwide can improve data security. in your testimony, you mention with lawl cooperation
9:50 pm
enforcement into these cyber crimes. on what youpand believe congress can do to enhance the international efforts going forward? a future trade discussion such as the transatlantic trade and investment partnership? >> i would recommend the continued support for our in international field offices as well as working groups where they are placing strategically around the world. we had a lot of great success in some of those eastern european countries within the last two years. we have had some great successes and an expedition of a romanian citizen to the united states based on the collaboration that .e've made here
9:51 pm
the doj has also expanded in those countries. as well as the office of international affairs, they have helped us in strategically working with those different countries to bring criminals that are affecting us here to justice. >> my organization is neither law enforcement or intelligence. we are a civilian organization and we have a relationship with 200 around the world. it is a technical exchange. i was in tel aviv and london. it was interesting to see our counterparts making extraordinary progress. inare leading the way governments role of cyber security.
9:52 pm
many of these threats are coming from overseas. many come from within our own countries. it would be better if we can engage with our international partners and use their legal means to go after these threats. and provide the ability to cooperate with us. if they had the legal ability. briefly, if i may. i believe the international corporation is an important dimension. we engage in international counterparts in all of the enforcement work that we do. this would be among them. >> the next question for chairwoman ramirez. i represent the 12th congressional district. while more and more seniors are becoming technologically adept, how would you recommend notifying seniors of a data breach in a timely manner if
9:53 pm
they are not reachable by e-mail? >> i think it is an issue we are happy to work with you on. seniors are becoming more adept at e-mail but if it is not an option, mail notification would be appropriate. we are happy to work with the committee. we have recently held a workshop on issues related to senior id theft and understand that this population can be particularly evil verbal. it might be one option and there would be other ideas that we would be happy to discuss with you. -- happy toe that work with you on that. the gentleman from west virginia is recognized for five minutes. i think we are going to have
9:54 pm
to go through a lot of the information that has been shared today. i think we've got something we can chew on for a little bit. i want to understand a little bit of what is happening with and the affordable care act, if i could. if you could participate with this, maybe you can help me. it was reported there were 32 security incidents that have .ccurred with obamacare were the individuals notified? that.m not familiar with to us,ou would get back please. do you know anything about those breaches? >> i do not have any knowledge of those breaches right now.
9:55 pm
given the standard that we have imposed on the private sector, should individuals be notified if there are breaches within the federal system? yes, breaches should be reported and people should have the opportunity to know about that and take the adequate precautions. >> i concur as well. >> there is also a report that came out that some of the software that was developed for obamacare was developed in belarus. there are reports that there might be some concern for malware being included in that. where are we in that evaluation? people are still signing up and we may have something that is contaminating our system. can any of you share with us what is going on internationally? changed buty have
9:56 pm
the intelligence product on that report has been withdrawn and is being reevaluated. there is no evidence that there has been any software development in the hhs. they are looking carefully and verifying that. >> it may have been someone -- >> it is a report that is being evaluated. >> if there is something you can --re with us >> hhs is looking at it closely. i can't see your name tag from here.
9:57 pm
in our law, there is a requirement that state agencies notify individuals when their personal information has been compromised. >> do you use some kind of encryption extensively? do you have encryption that you use for your data? >> different agencies handle it different ways. there are requirements in terms of how data is handled for state agencies. >> ok. thank you very much. i yield back the balance of my time. >> thank you for yielding back. no other members are here, therefore, that ends panel number one. i do want to follow-up. so the talk about the criminal syndicate, there was a story that there was an 18-year-old russian boy that developed this in his basement, this malware, is that accurate? >> sir, don't believe everything you see in the media, please.
9:58 pm
>> i've learned that too. all right. thank you. the first panel is dismissed. and we thank you. we may have questions submitted to you. we'll have those to you within about 14 days, if there are any. and we'd appreciate about a 14-day turnaround in answers. thank you. we will give a few minutes' break here so we can water -- get some water or something and then we'll be ready for our panel, second panel. [captions copyright national cable satellite corp. 2014] >> after the testimony, executives from neiman marcus and target appeared before a subcommittee. this panel is one hour, 20
9:59 pm
minutes. >> if everyone's seated, let's go. so i apologize. i was hopeful that that first panel would not last this long, but it did. so thank you and i hope that doesn't impact your rest of the schedule for the day, but appreciate you staying around. so our second panel of the day is the nongovernment panel. we have michael kingston, senior vice president and chief information officer of neiman marcus group. then john mulligan, executive vice president and chief financial officer, target brands, incorporated.
10:00 pm
bob russo, general manager of p.c.i. security standards council. and phillip smith, senior vice president for trustwave. we appreciate you being here today. as we did with the first panel, we'll go from my left. so mr. mulligan, you will start and you will have five minutes. >> good morning, chairman terry, ranking member schakowsky and members of the subcommittee. my name is john mulligan and i'm the executive vice president and chief financial officer of target. i appreciate the opportunity to be here today to discuss important issues regarding data breaches and cybercrime. as you know target recently experienced a security breach resulting from a criminal attack on our systems. to begin with, let me say how deeply sorry we are it's had on our guests and your constituents. we know it's shakened their confidence in target and we are determined to work very hard to get it back. at target, this attack has
10:01 pm
strengthened our resolve. we will learn from this incident and as a result we hope to make target and our industry more secure for consumers in the future. i'd now like to explain the events of the breach as i currently understand them. please recognize i may not be able to provide specifics on certain matters because the criminal and forensic investigations remain active and ongoing. we are working closely with the secret service and the department of justice on the investigation to help them bring to justice the criminals who committed this wide scale attack on target, american business and consumers. on the evening of december 12, we were notified by the justice department of suspicious activity involvement payment cards used at target stores. we immediately started an internal investigation. on december 13, we met with the justice department and secret service. on december 14, we hired an independent team of experts to lead a thorough forensics investigation. on december 15, we confirmed that criminals had infiltrated
10:02 pm
our system, had installed malware on our point of sale network and had potentially stolen guest payment card data. that same day we removed the malware from virtually all registers in our stores. over the next two days we began notifying them, preparing to notify our guests and equipping them with the necessary information and resources to address the concerns of our guests. our actions leading up to our public announcement on december 19 and since, having guided by the principle of serving our guests, and we have been moving as quickly as possible to share accurate and actionable information with the public. what we know today is that the breach affected two types of data. payment card data which affected approximately 40 million guests and certain personal data which affected up to 70 million guests. we believe the payment card data was accessed through malware placed on our point of sale registers. the malware was designed to capture the payment card data that resides on the magnetic
10:03 pm
strip prior to our encryption in our systems. from the outset, our response to the breach has been focused on supporting our guests and strengthening our security. in addition to the immediate steps i already described, we're taking the following concrete actions. first, we are undertaking an end-to-end forensic review of our entire network and will make security enhancements as appropriate. second, we increase fraud detection for our target red card guests. to date we have not seen any fraud on our proprietary credit and debit cards due to this breach and we've seen a low amount of additional fraud on our target visa card. third, we are reissuing target -- debit and credit cards immediately to any guest that requests one. fourth, we're offering one year of free credit monitoring and identity theft protection to anyone that's ever shopped in our u.s. target stores. fifth, we informed our guests they have zero liability for any fraudulent charges on their cards resulting from this incident.
10:04 pm
target is accelerating chip technology for our target red cards and our point of sale terminals. for many years target has invested a lot on personnel, processees. we've placed multiple layers of firewall, data loss prevention tools. but the unfortunate reality is that we suffered a breach. all businesses and their customers are facing increasingly sophisticated threats from cybercriminals. in fact, news reports have indicated that several other companies have been subjected to similar attacks. to prevent this from happening again, none of us can go at it alone. we need to work together. updating payment card technology and strengthening protections for american consumers is a shared responsibility and requires a collective and coordinated response. on behalf of target, i am committing that we will be an active part of the solution. members of the subcommittee, i
10:05 pm
want to once again reiterate how sorry we are for the impact of this incident has had on your constituents, our guests, and how committed we are to making it right. thank you for your time today. >> thank you. mr. kingston, you are now recognized for five minutes. >> chairman terry, ranking member schakowsky, members of the subcommittee, good morning. my name is michael kingston and i am the chief information officer at neiman marcus group. i want to thank you for your invitation to appear today to share with you our experiences regarding the recent criminal cybersecurity incident at our company. i've submitted a longer written statement and appreciate the opportunity to make some brief opening remarks. we are in the midst of an ongoing forensic investigation that has revealed a cyberattack using very sophisticated malware. from the moment i learned there might be compromise of payment card information involving our company, i have personally led the effort to ensure that we were acting swiftly, thoroughly and responsibly to determine whether such a compromise had occurred to protect our customers and the security of
10:06 pm
our systems and to assist law enforcement in capturing the criminals. because our investigation is ongoing, i may be limited in my ability to speak definitively or with specificity on some issues, and there may be some questions to which i don't have the answers. nevertheless, it is important to us as a company to make ourselves available to you to provide whatever information we can to assist you and your important work. our company was founded 107 years ago. one of our founding principles is based on delivering exceptional service to our customers in building long-lasting relationships with them that have spanned generations. we take this commitment to our customers very seriously. it is part of who we are and what we do daily to distinguish ourselves from other retailers. we've never before been subjected to any sort of significant cybersecurity intrusion so we have been
10:07 pm
particularly disturbed by this incident. through our ongoing forensic investigation, we have learned that the malware which penetrated our system was exceedingly sophisticated, a conclusion the secret service has confirmed. a recent report prepared by the secret service crystallized the problem when they concluded that a specific type of malware, comparable and perhaps even less sophisticated than the one in our case, according to our investigators had a 0% detection rate by anti-virus software. the malware was evidently able to capture payment card data in real time after a card was swiped and has sophisticated features that made it particularly difficult to detect, including some that was specifically customized to evade our multilayered architecture that provided protection of our systems and data. because of the malware sophisticated anti-detection devices, we did not learn we had an actual problem in our computer system until january 2
10:08 pm
and it was not until january 6 when the malware and its outputs had been disassembled and decrypted enough that we were able to determine that it was able to operate in our systems. then disabling it to ensure it was not operating took until january 10. we sent our first letters to customers and made widely reported information out. despite our immediate efforts to have two separate firms of investigators to dig into our systems to find any data security compromise, no data security compromise in our systems had been identified. based on current state of evidence and the ongoing investigation, one, it now appears that the customer information that was potentially exposed to the malware was payment card information from transactions in 77 of our 85 stores between july 15 and october 30, 2013, at different
10:09 pm
periods of time within this date range in each store. two, the number of payment cards used at all stores used during this period was approximately 1.1 million. this is the maximum number of accounts potentially exposed to the malware. although the actual number appears to be lower since the malware was not active every day at every store during this period. three, we have no identification that transactions on our websites or at our restaurants were compromised. four, pin data was not compromised as we do not have pin pads and we do not request pins. five, there is no evidence that social security or personal information was exposed in any way. we have also offered to any customer who shopped with us in the last year at either neiman marcus group stores or websites, whether their card was exposed to the malware or not, one year of free credit monitoring and identity theft insurance. we will continue to provide the
10:10 pm
excellent service to our customers that is our hallmark, and i know that the way we responded to this situation is consistent with that commitment. thank you for your invitation to testify today, and i look forward to answering your questions. >> thank you. mr. russo, you are recognized for five minutes. >> thank you. my name is bob russo and i'm the general manager of the p.c.i. security -- >> can you pull the microphone a little closer to you? >> sorry. it's on now. >> and a little closer. >> as i said, my name is bob russo and i'm the general manager of the p.c.i. security standards council, a global industry initiative and membership organization focused on securing payment card data. our approach to an effective security program combines people, process and technology as key parts of payment card data protection. we believe the development of standards to protect payment card data is something the private sector and in particular p.c.i. is uniquely qualified to do.
10:11 pm
the global reach, expertise, flexibility of p.c.i. make it extremely effective. our community of over 1,000 of the world's businesses is tackling data security challenges from simple issues like password, in fact password is still the most commonly used password out there to really complicated issues like encryption. we understand that consumers are upset when their payment card data is put at risk and we know the harm caused by data breaches. the council was created to proactively protect consumers' payment card data. our standards represent a solid foundation for a multilayered security approach. we focus on removing card data, if it is no longer needed. simply put, if you don't need it don't store it. and if it is needed, then protect it and reduce incentives for criminals to steal it. let me tell you how we do that. the data security standard is built on 12 principles.
10:12 pm
capturing everything from everything from physical security to logical security. this standard is updated regularly through feedback from our global community. in addition, we've developed other standards that cover software, point of sale devices, secure manufacturing of cards and much, much more. we work on technologies like tokenization and point-to-point encryption. they work in concert with p.c.i. standards to offer additional protections. another technology, e.n.v. chip is an extremely effective method in a face-to-face environment. that's why the council supports its adoption in the u.s. through organizations such as the e.m.v. migration forum and our standards support e.m.v. today in other worldwide markets. however, e.m.v. chip is one piece of the puzzle.
10:13 pm
to do e.m.v. and do no more would not solve the problem. additional controls are needed to protect the integrity of payments, online and in other channels. these include encryption, tamper-resistant devices, malware protection, network monitoring and much, much more. these are all addressed in the p.c.i. standards. used together, e.m.v. chip and p.c.i. can provide strong protections for payment card data but effective security requires more than just standards. standards without supporting programs are only tools and not solutions. the council's training and certification programs have educated tens of thousands of individuals and make it easy for businesses to choose products that have been lab tested and certified as secure. finally, we conduct global campaigns to raise awareness of payment card security. we welcome the committee's attention to this critical
10:14 pm
issue. the recent compromises underscore the importance of a multilayered approach to payment card security and there are clear ways we think the government can help. for example, leading stronger law enforcement efforts worldwide by encouraging stiff penalties for these crimes. promoting information sharing between the public and private sector also merits attention. the council is an active collaborator with government. we work with nist, with d.h.s., with many government organizations. we're ready and willing to do much more. the recent breaches underscore the complex nature of the payment card security. a multifaceted program cannot be solved by a single technology, standard, mandate or regulation. it cannot be solved by a single sector of society. we must work together to protect the financial and privacy interests of consumers. today, as this committee focuses on recent breaches, we know that
10:15 pm
the criminals are focusing on inventing the next attack. there's no time to waste. the p.c.i. security standards council and business must continue to provide a multilayered security protection while congress leads the efforts to combat global cybercrimes that threaten us. we thank the committee for taking a leadership role in seeking solutions to one of the largest security concerns of our time. >> thank you, mr. russo. mr. smith, you are now recognized for five minutes. >> good morning, chairman terry, ranking member schakowsky, subcommittee members, staff, ladies and gentlemen. i want to thank you for the opportunity on behalf of trustwave to provide witness testimony on this important issue related to data breaches. i'm a former part of the violent crimes section. my law enforcement part includes prosecution of credit card fraud, access device fraud and counterfeiting. i left the justice department in
10:16 pm
2000 to join trustwave and now compliant services and technology service. i serve on the team as senior vice president and i was general counsel for 12 years. businesses and government agencies hire trustwave to protect their sensitive data and reduce risk. trustwave have customers ranging from the world's largest businesses and small and medium sized companies in many countries. we deal with ethical hacking, security research and we also train law enforcement on how to investigate network intrusion and data breach cases. today i will offer my recommendations on broader information security trends. it's important, i note, as a company we do not comment or speculate on specific data breaches and as such we will not be offering testimony today related to companies involved in the latest string of data breaches. however, i believe our company's
10:17 pm
experience in investigating thousands of data breaches over the past several years are advancing security research will be a value to you and the industry as a whole. my submitted written testimony discusses how card data is stolen and why businesses must go beyond p.c.i. for increased security and technologies and process that can help. while i don't have time to discuss the topic in depth, i want to highlight a few items. we have real-world data breaches. the focus of the report is around cybercrime. states that are carried out by professional professionals and many follow logical patterns as described by the secret service. the 2013 global security report highlights data, our experts analyzed from more than 450 data incidents, thousands of
10:18 pm
penetration -- tens of billions of events. the report states the retail industry was the top target in 2012, making up 45% of our investigation. food and beverage industry was second followed by the hospitality industry. those did not change in 2013. cardholder data was the primary target. mobile malware increased 400% in 2012. 73% of the victims were located in the united states. almost all of the point of sale breach investigations involved targeted malware. remote access made up 73% of the infiltration methods used by criminals. took businesses an average of 210 days to detect a breach. most took more than 90 days. 5% took more than three years. only 24% detected the intrusion themselves. most were informed by law enforcement. web applications emerged the most popular attack sector. ecommerce being the most targeted asset. weak password being password1 as the most password of choice. i talk about many different
10:19 pm
security areas as part of a defense in depth strategy, recommending multiple layers of defense, ongoing training. would however make the following observations. p.c.i. data security standard plays a critical control as it has increased awareness of securing data in the payment industry. the threat landscape is more complex than ever and keeping up with complying with the standards simply isn't enough. common misperception is that p.c.i. was designed to be a catch-all for security. we believe it gives businesses guidelines for basic security controls to protect cardholder data. we heard today about chip and pin and end-to-end encryption and these are all good. but there's no silver bullet. a multilayered approach involves people, process, technology and innovation. i would take these few minutes to highlight three particular ones. businesses implemented a response plan that includes advanced techniques, containment strategies and response technologies.
10:20 pm
web applications are a high-valued target for attackers because they are easily accessible over the net. web applications are often at businesses front doors and contain systems that have private data. while monitoring over 200,000 websites, we had 16,000 attacks occur on web applications per day. this is why businesses need to adopt protections that include the ability to detect vulnerabilities and prevent web applications. obviously anti-malware is a big issue here and what companies need to do is to defend against this is to deploy gateways. this is gateway specifically helped to protect business in real time from threats like malware and data loss. i want to thank the chairman and ranking member schakowsky for the opportunity to be here and happy to answer any questions. >> thank you, mr. smith. and that does conclude the testimony of our panel and now it's time for us to ask you questions.
10:21 pm
i get to go first. so i recognize myself for five minutes. mr. smith, based on your professional opinion in this industry, are we, the united states, suffering an increased onslaught of data breaches and attacks, or is it just simply we' paying more attention in the media? >> no, we are suffering more attacks, that's nor sure. >> can you quantify it that in any way? >> the number of attacks? i can only speak for our company and how many we're involved in each year which involves a number of different investigations as well as multinational locations within -- >> do you have an opinion why that's increased, the number of attacks have increased? >> i think anytime there is something of value and the web now gives the ability for these
10:22 pm
multinational to occur from anywhere in the world, so as the technology increases, so will the attacks, so will the value of that data that people are after. >> thank you. appreciate that. and for mr. mulligan and for mr. kingston, i appreciate your invitation. you don't have to accept that invitation. you don't have to be here. but you agreed to be here. and, a, i think that speaks well for both of the companies that you work for and your respect for the consumer to go on the record about what occurred and what you're offering to your customers. i want to thank you for that. doesn't mean we don't ask you tough questions. so let me start off the same question to both mr. mulligan and mr. kingston. both of you suffered point of sale attacks. and least with target, there was
10:23 pm
a portion of that that was unencrypted and they were able to get the information in plain language. plain text. is that a shortcoming? is that standard? how much of a surprise to you or not surprised there was that vulnerability at the point of sale, mr. mulligan? >> mr. chairman, we know -- >> and pull your microphone a little closer. >> we know today in the u.s. that credit card information, payment card information comes into point of sale systems from the magnetic strip unencrypted. in our case that data was captured prior to us encrypting it. we've seen in other geographies around the world where chip and pin or technology is deployed. the fraud related to credit cards have come down dramatically and that's why we've been supporters of that technology for a long period of time. >> mr. kingston. >> what we learned in our investigation, mr. chairman, is
10:24 pm
that the information was scraped at a time immediately following the swipe as well. and basically -- in essence, combing old data, so it was undetectable, hidden in plain sight? >> milliseconds before goes through the tunnels to the payment processor for authorization. back to mr. mulligan. have you been able to determine how they were able to get into the system in place the malware at that very sensitive point? >> it is my understanding the point of access was a compromise set of vendor credentials or login id and password. an end-to-end forensic review to understand the question. that is one we share with you. >> it was a process failure? >> we don't understand that
10:25 pm
today. at the end of the investigation, we are looking forward to getting the facts. >> mr. kingston? >> at this point, we have not found any evidence of how attackers were able to infiltrate our network. discussion on breach notification. first of all, we want to make atae the consumer, whose d whether it is financial or personally identifiable information, is notified in a timely manner. there is a perception that perhaps you discover the breach, you should push send for notification. does it really work that way? how much time is a reasonable amount of time before you notice the consumer of the breach? was on providing speed and getting notice quickly. we think it is important. balancing that, the lens we were looking through, providing them accurate information to help them understand what went on. then actionable information, what they could do about it.
10:26 pm
in addition, given the magnitude of our enterprise, we knew that we would get significant request from our guests, and we wanted to prepare with staffing the call centers and have staff that stores. i think all of this is how we approach this. the timeny days from you were told over the breach versus when you were able to send them notice? >> from the time we found the breach, we found the malware on our system to the time we notified was four days. >> mr. kingston, same questions? at neiman marcus believe that a prompt and specific notification is the best course of action. importantere are two things that need to be established in order for that to happen and happen in a reasonable way. the first is understanding that you do have a breach. or some sort of risk of attack. we learned that on
10:27 pm
january 6. the second important thing is to protect customers from any potential further harm, to make sure that you have contained in our case the malware that was discovered in our systems. it took us four days to do that. at that time, january 10, we immediately began notifying customers. >> all right, four days for each of you. thank you, and i will recognize the ranking member from illinois. >> thank you. just a quick question for mr. russo. i think that you do good work, but you are not suggesting that we should not act as a congress, are you, in order to set some standards? are plentyink there of things that can be done, not the least of which is law enforcement and information sharing. >> i understand. i am asking a yes or no question. are you suggesting that it is inappropriate or unnecessary for congress to act on standards, etc.? >> not at all, i have no opinion in that area.
10:28 pm
>> ok, i wanted to ask, mr. kingston, you discovered the breach internally? >> no -- >> neiman marcus discover the breach themselves? >> the first idea we had added -- had that there was anything particular along was january 7 when our forensic investigator brought to our attention they capablespicious malware of scraping card data. it was not until the sixth, four days, based on the sophistication of the malware, to decrypt it and compose it. >> who informed you? >> our forensic investigator. we hired a forensic investigator. >> ok. >> not mr. smith. >> and, mr. mulligan, you said the justice impart just justice department informed you? >> they came to us december 12 and indicated they had a handful of cards that had been cover
10:29 pm
must. one of the locations was target. at that point there was no indication or evidence there had been a breach. we found the breach three days later and shut it down within 12 hours. >> i actually wanted to talk more about the breach of marketing data, which affected 1/3 of all american adults, which is pretty serious. i'm asking these questions because i believe the breach of marketing data represents a really serious threat to consumers. payment card breaches are serious incidents, but criminals tend to obtain card data, spend money while they can, and move on. but names and contact information can be used in hing and social engineering schemes to try to perpetrate identity theft. breaches linger and
10:30 pm
identity theft lasts. i wanted to ask about the way that you informed the consumers who had these marketing data breaches. consumers received an e-mail message during the week them and received bad news.em -- that news. scammers sometimes use the legitimate names of companies. many people were alarmed when they look up the domain name and found permission denied message. i wondered how target determined it would contract to send these messages and what you are doing about the confusion congress may have felt. >> we wanted to notify we
10:31 pm
confirmed on january 9 that data had left our system on january 10. we sent out 56 million e-mail addresses. broad public disclosure so everyone would have information available. a couple things we did in response we communicated on our target.com website. located pertinent was there and could be trusted. second, we provided free credit monitoring, which includes identity theft insurance. >> let me refer to that. there was a briefing organized credit and they said monitoring does not stop fraud , so i amng accounts
10:32 pm
wondering what the rationale is and any ongoing improvements being developed by target. >> my understanding is consumers have no liability for any fraud that occurs on their card as a result of this reach. part of the package we offer is reduction,eft identity theft insurance, and access to a specialist, so anyone who has ever shopped at a target store has the ability to contact them and ensure their data is safe. >> do you agree that it won't ?top fraud >> what i can tell you is consumers have no liability for .raud on their accounts >> are you talking about fraud
10:33 pm
and purchase? i am talking about identity theft. >> we provide that as part of free credit monitoring. >> thank you. i recognize the vice-chairman of new jersey. >> thank you. you testified you were informed of the breach on december 12 and december 13, hired a firm on the 14th, and on the 15th you remove the malware from your point-of- sale network. if it was relatively defined once you were made aware of it, why wasn't it protected through your existing security procedures? >> that's an excellent question we have asked many times. we believe our investigation and whyvide the facts
10:34 pm
investments did not detect this. >> can you provide when you might have that information? take the time to assess the facts, and we will take action. i don't know how long that will take. detected apany breach of 70 million consumers. do you know how many accounts were breached under existing state laws? >> i am not familiar with that, but as we consider, we have had information, we have disclosed information to the public. confirmed 9 it was that data was extracted from our citizens, and january 10 we began to e-mail those guests for
10:35 pm
which we had e-mail addresses. >> from the time you first realized you had a problem in your system until you disassembled the malware, how did you conduct business with your consumers? how was the decision made? continue to conduct business for our customers during that time. however, as we were learning more about this particular wehisticated attack, immediately began implementing ofitional controls on behalf the controls we had in place at that time, so being very careful organization to further
10:36 pm
monitor suspicious activity. whetheru know yet suspicious activity increased between january 2 and january 10? >> we have not seen anything like that? >> that is an open question? >> no additional suspicious activity noted. all itigh-security eve seems as though the chip is a better mascot. consumerr pieces of information are obscured and the ability to provide card duplication is achieved, but there are two types of cards. those that require a pen and those that require a signature for operation. what do you believe is preferable?
10:37 pm
form, it is a powerful as you indicated. the powerful combination in any combinationlatable that has to be considered. >> from your professional perspective, who should consider that? be required, or should this be determined at state capitals? at the option of the private sector? >> that is beyond the purview of what the security council does. we are responsible for securing that data beyond what comes in.
10:38 pm
determinesof who what it is going to be, our job is to make sure it is protected. >> thank you. esther smith, do you have an opinion? >> the important point is it is an additional layer of security. there are multiple layers that need to be put in place. nothing is going to stop the data breaches. >> would you require this as a matter of statutory law or rule go regulation, or does that beyond what is appropriate for congress given the fact that technology advances as rapidly as it does? the chip and pen technology has been around for a long time. efforts youlot of can put forward for new technology and securing mobile payments. the technology is changing so
10:39 pm
quickly. going to the mobile side. implementing chip and pen is good for face to face otherctions, but having areas is just as important. >> thank you. i look forward to working with everyone on the committee. talking -- shopping at target. i think my wife is into neiman marcus. >> you are recognized for five minutes. >> i appreciate your candor at this point. one thing i'm curious about is that while we have some more
10:40 pm
instances of this type of breach , and i don't want to speculate why people may have singled out target and neiman marcus among a group of retailers, but there , many of of retailers whom don't have as high a profile as you, and my question is, are you able to discuss with your colleagues in the industry whether they have been able to attack that cyber might distinguish them from your operation? or have you been informed of any other attacks that have been opened up? steps.ook several once we identified malware we
10:41 pm
have ongoing relationship with law enforcement and shared that with them. we also shared it with security firms, who look for these types of malware. the on that, we have pushed for and are beginning to retail industry around information sharing across all retailers. it is an evolving threat. we believe information sharing is one path to understanding the evolving threat and how we will collectively deal with it. >> i am curious if there is any that someone tried to attack walgreens, walmart, and they failed where they succeeded . is there any evidence of that somewhere. that.ill take a look at are attacks going on
10:42 pm
constantly, and those are being defeated. the situations we are talking about our sophisticated malware. everyday they are defending against ongoing attacks. effort goingt of on today and will continue to go on. technologysecurity is an important part. that is where they can spread motivation. >> is there any legal impediment to your sharing notes? you say you are sharing information. >> part of our ongoing assessment is the benchmark and ensuring collectively we are providing the best potential. beenecifically there have that some have received
10:43 pm
the data breach and never shopped at target. reports accurate? yourould they be in database if they never shopped there? >> the vast majority of data is in the normal course of his miss. when a guest signed up for an app called cartwheel, we periodically append information, and very rarely we do by information to provide promotions we think they would benefit from. >> you have a relationship with amazon for a time. could any of that information and captured because of that relationship specifically, or is that irrelevant? >> it's my understanding there is a separation of the information between customers and our guest. >> the chairck.
10:44 pm
--ognizes the vice committee the vice chairman of the full committee, marcia lack burn. >> thank you, mr. chairman. to thank you for your patience this morning. you how so many of our constituents have mentioned their frustration with the data breaches and their desire to get some clarity and certainty in this process. as you heard me mention in the earlier questioning and opening doing a datae are security and privacy working group to make sure what we do that we do it in the appropriate
10:45 pm
manner and that we allow the flexibility and nimbleness that is going to be needed. well to the need to that. if i could come to you, and going back to the testimony with the malware that was in the breach, have any of the law enforcement agencies this, haveh you on they ever seen this type of malware before, and what is the the malware? >> we have been working closely with law enforcement, specifically with the secret service, and what they have been able to share so far is that the malware is very sophisticated.
10:46 pm
as i said earlier a zero , and it is not something they have seen before. >> so it was designed specifically for an attack? >> yes. >> do they know the origin? >> they have not shared that. >> when you look at this, here is something designed specifically to take down their financial infrastructure if you will. what is your guidance to us as we look at that information share?
10:47 pm
we know they send out threats on a regular basis, and you have something unique. what is your instruction to us, and what are the unique identifiers you are seeing creep up? >> the council is a wonderful for him in which to share information. companies give us feedback all the time about what is going on. the forensic investigators tell getbout trends which factored into making sure they are not only good for today but good for what we see in the future. it has been our experience the standards are very solid. we have a lot of history around this.
10:48 pm
i can recall that what we see are threats that have been exploited. and sor about passwords on. very basic names. are a myriad of ways to prevent this from happening and to prevent malware from getting into the system. at this point i don't have terms offormation in what actually happened. i can tell you right now all that we have seen has been exactly what the panel before us indicated. very basic x points that easily could have been defeated. solid information,
10:49 pm
we cannot say. >> when you look to the t.j. maxx breach, they were compliant. they just were not secure. there is a difference. how much have you invested insecure networks? >> we have invested hundreds of millions of dollars. part of that has been in malware detection, data loss protection. we have over 300 team members responsible for security. part of that is assessment. we are constantly assessing ourselves, having other third parties come in, benchmarking us against others, and we train on the important
10:50 pm
information security, so we have a holistic view. >>, chas nieman spent on security? -- how much has nieman spent on security. >> we have spent tens of thousands of dollars on security. it is really a combination of as people andwell process. i think one thing we do at neiman marcus is really important that i think the subcommittee should think about is the fact that we do annual security for all neiman marcus associates that access systems, and i think awareness is a big part of strong defense. >> my time has hired. i will yield back. i am going to submit a question for a written answer on the security codes. >> thank you. the chair now recognizes another
10:51 pm
gentleman from kentucky. >> thank you for coming. to follow up on what ms. theseurn asked, you said breaches are basic. >> today's breaches i don't know. said it could have been defeated? >> what we heard was all of the breaches until now have been basic security exploits that could have easily been prevented, and we don't know what the situation is from the latest reaches. didn't -- latest breaches. >> it didn't sound basic. based on what you do know, were target and neiman marcus compliant to standards? >> they do not report their
10:52 pm
compliance to the council. the council basically puts together the best standards we possibly can. we are not responsible for enforcement, nor do people report their compliance to us. we have no insight as to whether they were compliant or not. >> are you cannot assess? >> absolutely not. >> one of our previous panelists said retailers are business, but it isid in her testimony time to get serious about this. you said you spent tens of millions of dollars. i know you are the information officer. what do you think this will cost your business? just in terms of dollars? anything forave
10:53 pm
that yet. we disclosed publicly the losses as a result of this incident would be material to target. from theave visibility majority of financial institutions, but what i can tell you is out of the accounts taken, 16 and a half million were taken from target cards. what we have seen there has been no additional fraud on the debit card, and our visa card, which is a visa card like any other, we have seen low levels of fraud. we will have more information as we go through the process. >> we are still in the midst of our investigation. >> mr. smith. from fortune 500 bypanies, very sophisticated
10:54 pm
sophisticated criminals. when i get gasoline at the pump at a small station -- what process is in place for these guys? >> pci standards are across the board for this data. the smaller merchants have a smaller platform. they are able to defend their smaller presence on the internet. there are lots of basic security principles they can put in place to protect their network and their data. there is a lot of information out there for the small merchants for what technologies they should be putting out there. >> if i can interject, being a small merchant is a very tough
10:55 pm
thing these days. you not only have to worry about shoplifting and somebody breaking into your store, but you now have to worry about security. in an effort to make that easier, in our website, we certify different solutions people can choose. not only do we certify different solutions in terms of payment applications as well as pos devices that are secure, but also, we train installers throughout the nation so a small merchant as opposed to using his help installw to software can actually pick somebody off the list to securely install the information for them, so we make it easier merchant, butr the merchant area is a very big problem. saide other panelist also
10:56 pm
there is a list of different things people can do, and they will do some, but it won't do the others. is that the case? , or is it so sophisticated it works around a very sophisticated system you already have? one of the panelists basically been aere could have checkbox, they decided it shouldn't cost money. that's what they said. is that what you found these days, or is it so sophisticated you had everything in place, or did you find something you should have found? but then you are done. >> we invested hundreds of millions of dollars in technology. part of the ongoing and to and review of our systems will provide that when it is complete, and there will be learning, and we will respond to
10:57 pm
those learnings. what was something obvious you didn't do that led to this? >> i think at neiman marcus we felt and feel very good about the high standards of security we had in place and continue to have in place. obviously, there will be lessons awayed, and i want to take from this this was a highly sophisticated attack. >> mr. johnson, you are recognized for five minutes. >> as i mentioned to the first panel, i spent my entire professional career as an i.t. -- one of those stints with as the director of the cio special operations , and you don't have any more than our national security,
10:58 pm
so i understand the complexities you folks have to deal with on a daily basis to address this, and i can empathize with the struggles you have. really quickly, just a few questions. mr. mulligan, why hasn't target joined the financial services, analysismation and center? >> i don't know the answer specifically. long tell you we have a history of sharing information with law enforcement as it relates to these types of threats, and we certainly believe information sharing and sharing across all industries is essential in dealing with this kind of evolving threat. >> is this giving you a thought to consider joining? >> certainly. as i stated earlier, we have implemented at least one step of that, but yours is another we are absolutely open to.
10:59 pm
>> what about retailers. do you think it is time for large retailers like you to consider having your own i sack -- isac? >> absolutely. >> what about law enforcement with respect to threats and attacks? do you think that is important also? have had an ongoing relationship with law- enforcement at many levels and have enjoyed a great relationship with them during that time as well. >> mr. kingston. what are the systems you had in place to guard against a data breach, and why did they fail in this case? >> we had a multilayer security approach and architecture in place. i will just highlight some of the controls of different technologies. had network behavioral
11:00 pm
analysis and monitoring in place. we had network segmentation with the use of firewalls and control intrusion detection we also do boy -- the ploy encryption technologies and utilize tokenization is a method to protect and secure information stored in our system. it sounds pretty robust. the traditional kinds of things to provide network and data security. why do you think those things failed? the sophistication of the attack? >> there are still important questions we have not answered in the investigation. but it really points back

62 Views

info Stream Only

Uploaded by TV Archive on