(Corrects first paragraph to House panel from Senate panel)
By Alina Selyukh
WASHINGTON Feb 5 U.S. companies that have
fallen prey to hackers, exposing the private information of
millions of customers, have often failed to take basic security
precautions to protect client data, Illinois Attorney General
Lisa Madigan told a U.S. House panel on Wednesday.
Madigan said previous investigations, conducted before the
recent spate of high-profile breaches, had turned up repeated
instances where companies allowed their systems to retain
unencrypted data, failed to install software patches for known
vulnerabilities and retained information longer than necessary.
Madigan said her office and that of Connecticut Attorney
General George Jepsen are now leading a multistate investigation
into recent data breaches that affected millions of customers of
U.S. retailers Target Corp, Neiman Marcus Group LLC
, and Michaels Stores Inc.
On Tuesday, top executives of Target and Neiman Marcus told
the Senate Judiciary Committee that hackers had found ways to
penetrate their best security practices. Both companies bemoaned
the sophistication of hackers behind recent data breaches that
exposed the private data of millions of their customers.
"During prior breach investigations, we have found instances
when companies failed to take basic steps to protect consumer
data," Madigan told the House Energy and Commerce committee. "So
the notion that companies are already doing everything they can
to prevent breaches is false."
The companies offered reasons for not deploying more secure
technology that ranged from high costs to length of check-out
times to disputes between banks and retailers, Madigan said.
"Frankly, it is negligent of the U.S. to fall behind the
rest of the world when it comes to security of our payment
systems," she said.
In testimony on Tuesday, Target Chief Financial Officer John
Mulligan apologized for a cyber breach over the holiday shopping
period in which about 40 million credit and debit card records
were stolen, along with 70 million other records with personal
customer information such as telephone numbers.
He told the committee the company had not been aware its
systems had been hacked before being notified of the breach by
the U.S. Justice Department.
The companies, joined by lawmakers and consumer advocates,
suggested an accelerated move to a new type of payment cards
known as "chip-and-PIN." Those cards store customer information
on computer chips and require users to type in personal
identification numbers to make further breaches less likely.
Some U.S. lawmakers are once again taking up an effort to
pass legislation to regulate data breach responses after similar
pushes gained little traction in the past.
(Writing by Jim Loney, editing by Ros Krasny and David