January 13, 2014 - US retailer Target has confirmed that hackers infected its point-of-sale (PoS) terminals with malware to steal the details of millions of customers, with the latest estimate of the numbers' affected rising to 110 million.
The chief executive of Target, Gregg Steinhafel, told CNBC that the security breach was actually much larger than first reported, citing the 110m figure, which includes collateral breaches online.
According to the US retailer, around three times more customers than the original estimate of 40m were affected by the Target breach.
Speaking to CNBC, Mr Steinhafel said: "Clearly, we're accountable and we're responsible. But we're going to come out at the end of this a better company. And we're gonna make significant changes."
He went on to apologise for the success of the cyber-attack and promised that the company will get to the bottom of the situation.
Mr Steinhafel also defended the four-day delay in Target informing customers about the breach, claiming the time period was necessary for investigators and consumer preparation.
"Day two was really about initiating the investigation work and the forensic work ... that has been ongoing. Day three was about preparation. We wanted to make sure our stores and our call centers could be as prepared as possible, and day four was about notification," he told CNBC.
Reaction: Lieberman
"In the USA, customers are indemnified from actual loss due to the breach, so the only suggestion is to keep an eye out for unauthorised transactions and if there are any, they should contact their card issuer to obtain a new card," said Phil Lieberman, chief executive officer (CEO) of Lieberman Software. "The only people that should be concerned are those that used their cards at Target.
"As to the effect on Target, history has shown that there will probably be no material effect on Target or their stock value. Target will probably provide the required mea culpa and go back to spending a minimum amount of money on IT and security and not really worrying much about the security of their customers (but publicly stating otherwise) ... In security, however, you generally get what you pay for."
The next stage for Target will be a rash of lawsuits brought on by every state in the USA that they operate in by the Attorney Generals of those states on the behalf of their state residents," continued Lieberman. "The credit card issuers will also slam them with massive fines by normal human measurement (nothing of consequence for Target). There will also be the usual gaggle of attorneys who will file class action suits against Target to shake them down for their poor downtrodden clients, but in the end the attorneys will benefit mightily by huge settlements paid for by Target to make the attorneys 'go away' with consumers getting, at best crumbs.
"There will also be the usual hand wringing about why the USA still does not yet have EMV credit cards, with chip and PIN."