Senate Judiciary Committee Holds Hearing On Digital Data Privacy In Wake Of Target Store Breaches
Win McNamee/Getty ImagesJohn Mulligan, Target's chief financial officer, is to testify before a Senate committee Thursday.
By Doina Chiacu

WASHINGTON -- Target (TGT) missed multiple opportunities to thwart the hackers responsible for the unprecedented holiday shopping season data breach, U.S. Senate staffers charged in a committee report released Tuesday.

There was no indication the No. 3 U.S. retailer responded to warnings that malware was being installed on Target's system. Other automated warnings the company ignored revealed how the attackers would carry data out of Target's network, according to the report.

"This analysis suggests that Target missed a number of opportunities along the kill chain to stop the attackers and prevent the massive data breach," according to the Commerce, Science and Transportation Committee report.

The staff report, "A 'Kill Chain' Analysis of the 2013 Target Data Breach," looked at previously reported information and used an analytical tool called an "intrusion kill chain" framework used widely by information security field.

It was released on the eve of a committee hearing on how to protect personal consumer information from cyber attack. Witnesses will include John Mulligan, Target's executive vice president and chief financial officer, and Edith Ramirez, chairwoman of the Federal Trade Commission.

Target spokeswoman Molly Snyder declined committee on the staff report, saying the company did not want to discuss the breach before Wednesday's testimony by Mulligan.

The staff report said Target "failed to respond to multiple automated warnings from the company's anti-intrusion software" that the attackers were installing malicious software and were also planning escape routes for the information they planned to steal from the retailer's network.

It also said Target gave access to its network to a third-party vendor that didn't follow accepted information security practices.

Target also didn't isolate its most sensitive network assets,
enabling the attackers to move from less sensitive areas to the places where Target stored consumer information.

The Minneapolis-based company admitted this month that security software detected potentially malicious activity during last year's massive data breach, but its staff decided not to take immediate action.

It also said that last year's massive security breach could have been more extensive than reported so far, leading to further losses at the company.

The company has said so far that some 40 million payment card records were stolen along with 70 million other customer records during a cyber attack over the holiday shopping season.

Congress is investigating the breach along with lapses at other retailers, and credit card companies are pushing for better security.

Target also faces dozens of potential class-action lawsuits and action from banks that could seek reimbursement for millions of dollars in losses due to fraud and the cost of card replacements.

-Additional reporting by Mark Hosenball in Washington and Jim Finkle in Boston.


Increase your money and finance knowledge from home

Introduction to Preferred Shares

Learn the difference between preferred and common shares.

View Course »

Investing in Emerging Markets

Learn to invest in a globalized world.

View Course »

Add a Comment

*0 / 3000 Character Maximum

2 Comments

Filter by:
Adele

" but its staff decided not to take immediate action" I hope the "staff" has been replaced. There are thousands who would happily replace them and take their jobs seriously.

March 27 2014 at 9:22 AM Report abuse +2 rate up rate down Reply
M

Target must not have considered consumer related information as part of "its most sensitive areas", maybe like executive pay and bonuses?

Well,
a business associate running a local furniture store once bought three surplus/retired cash registers from a large jewelry store chain, and had the *men in black* come visit about two weeks after the auction sale. They wanted to buy them back.
After a lot of back and forth dialog, they admitted they were really only interested in ONE of three, and they would pay him back what he paid for all three, and could keep the other two for his trouble. More discussion followed, and he eventually found out, (after admitting he had done nothing with, or to them, or even opened them to verify the *workings* were inside), that the one of interest had some encoding device in it to do the billing data transfers to the main computer system of the jewelry chain. That unit was sold without having that encoding device removed... Stuff happens, and has happened for a LONG time before Target. They REALLY wanted the entire cash register so he would not have a chance to even see the encoding device as they removed it. (He did offer to let them simply remove the device and be on their way, and they refused that offer.)
BTW, he took their deal for the money, and had two *free* cash registers.

(Yes, I was told the name of the jewelry store chain and shown the check they gave him, and NO, I will not name it. His furniture store closed a long time ago, and the jewelry chain is still in business, possibly in part because they got that cash register back... *smirk*)

It seems there was a two-week time lag in both cases, but one was a *potential* exposure, and the Target cases was a DEFINITE intrusion. Ahhh, modern technology...

March 27 2014 at 4:28 AM Report abuse +2 rate up rate down Reply