New York, NY - January 28, 2014 - U.S. Senator Charles E. Schumer today called on the Federal Consumer Financial Protection Bureau (CFPB) to launch an investigation into Target Corporation regarding the record setting credit card security breach that it revealed this week. Despite issuing statements promising the problem has been fixed, Target has yet to reveal exactly what system was breached, how it happened, and what steps they are taking to prevent another breach in the future. In response, Schumer demanded a transparent federal probe that reveals full details to the public and results in recommendations for how all stores can keep its shoppers’ credit card information safe.
This week, Target announced that hackers were able to tap into their credit card processing systems for in-store purchases and run away with the credit card information and other personal details of up to 40 million people, including hundreds of thousands of New Yorkers. Schumer said that without a full investigation into what happened – and a subsequent issuing of clear guidelines for stores moving forward -- there is no reason why such a large-scale breach of payment information will not happen again.
“If one of our nation’s largest retailers can be hacked so easily, even after spending millions of dollars each year on credit card security, it is near impossible for anyone to feel safe when using a credit card for in-store purchases,” said Schumer. “It is unacceptable for Target to say it has solved the issue but not release the details publicly. That is why I am calling on the Consumer Financial Protection Bureau to conduct a full investigation into what happened, release the findings to the public and issue guidelines for retailers across the country to ensure this type of security breach does not happen again, and so that consumers can rest easy when they go shopping.”
“This massive security breach at Target -- which is causing financial disruption for millions of families at holiday time-- is an urgent wake-up call to strengthen protections to improve data security and prevent financial crime,” said Chuck Bell, programs director for Consumers Union, publisher of Consumer Reports. “Consumers Union strongly supports Sen. Schumer’s call for a full investigation by Target and financial regulators, so that we can prevent similar incidents from occurring in the future. Consumers need to be able to shop with full confidence that their private financial information will be protected, and not disclosed to computer hackers and criminals.”
This week, Target revealed that the credit and debit card information of 40 million of its customers was exposed to hackers as the result of an attack on the retailer’s credit card. However, according to numerous media reports, Target has failed to reveal how the breach occurred and what system protections were in place to protect its customers. It also has failed to inform the public whether customer card data transferred from the stores’ registers to issuers and banks was encrypted. The transfer of data without encryption across multiple platforms greatly increases the likelihood that such data would be susceptible to security breaches and fraudulent activity.
Credit and debit cards account for more than 65% of all in-person sales across the United States and, as these trends continue to increase, the CFPB should play an active role in ensuring that retailers have adequate systems in place to protect consumers’ data and identities. The CFPB, which was created in 2011 after the financial crisis, is an independent federal agency that ensures consumers are protected when using various financial products and services.
According to Schumer, the CFPB should use its oversight powers to investigate exactly what happened in this instance at Target stores, reveal this information publicly so consumers can be aware, and then issue guidelines and recommendations for all stores to follow. These steps are vital for consumers throughout the United States and New York to be certain they are not risking their financial information when they make in-store payments at Target and other stores.
Full text of Schumer’s letter to CFPB Director Richard Cordray is below:
Dear Director Cordray,
I write to express my concern at the news that the credit and debit card information of 40 million Target customers was exposed by an attack on the retailer’s systems. I urge the Consumer Financial Protection Bureau (CFPB) to conduct a full investigation into the breach of the system and the manner in which consumer’s credit and debit card information was transferred from cash registers to card issuers and banks, and publicly release the results.
As highlighted in numerous media reports, Target has said that the breach has been fixed, but has failed to release any information as to how the breach occurred and what system protections were in place to protect its customers. Credit and debit cards account for more than 65% of all in person sales and, as these trends continue to increase, the CFPB should play an active role in ensuring that retailers have adequate systems are in place to protect consumers’ data and identities. To date, Target has failed to inform the public whether customer card data transferred from the stores’ registers to issuers and banks was encrypted. The transfer of data without encryption across multiple platforms greatly increases the likelihood that such data would be susceptible to security breaches and fraudulent activity.
The CFPB continues to dutifully protect the interests of consumers, and in that vein, I believe that these concerns would be similarly shared by those within the Bureau. I greatly value the efforts of those within the CFPB and again seek the expertise of this agency in investigating this most recent matter further. Accordingly, I respectfully request that the Bureau take a closer look at whether retailers systems should be required to transfer credit and debit card information as encrypted data. Further, the CFPB should issue a full report on the findings of its investigation -- informing the public of how this breach occurred, how consumers can protect themselves from similar attacks, and any further recommendations the CFPB may have for retailers to minimize the occurrence of similar breaches.
Americans have become conditioned to the reality that hackers and identity thieves will exploit their personal financial information if it is left unprotected; however, as consumers, we trust that retail outlets, especially those where purchases are made in person, have adequate systems in place to ensure that our personal financial information does not fall into the wrong hands. The CFPB must ensure that necessary rules and standards for retailers are in place to validate consumers’ trust in the transaction process. Breaches in security will continue to threaten our retail economy, but the CFPB must work to determine whether incidents like the one that happened earlier this month can be avoided by updated systems and technology, and subsequently require that such improvements be put into place. I believe answers to the questions posed and steps called for in this letter would be an important first step in this effort.
Thank you very much for your prompt attention to this matter.
Charles E. Schumer