Senators pressed Mulligan and Michael Kingston, senior vice president and chief information officer at Neiman Marcus Group Inc., about how quickly they notified customers of the breaches.
Mulligan said Target executives were told on Dec. 12 by the Justice Department of suspicious activity involving payment cards. The company started an investigation, removed malware and publicly announced the data theft on Dec. 19.
A processing firm told Neiman Marcus of a problem on Dec. 13, and the company's investigators made a report on Jan. 2, Kingston said. Customers were notified on Jan. 10. The malware causing the breach appeared to have been operating in many Neiman Marcus stories between July and October, Kingston testified.
An estimated 1.1 million accounts were affected.