Senate Report: Target Could Have Prevented Massive Hack

The retail giant could face a federal lawsuit.

A Target parking lot is empty. (iStock)
Andrea K. Gingerich
Brendan Sasso
March 25, 2014, 1:08 p.m.

Sen­ate in­vest­ig­at­ors ac­cused Tar­get on Tues­day of mak­ing ser­i­ous mis­steps that al­lowed hack­ers to steal mil­lions of cred­it card num­bers from its sys­tem.

Tar­get “missed a num­ber of op­por­tun­it­ies”¦ to stop the at­tack­ers and pre­vent the massive data breach,” the Sen­ate Com­merce Com­mit­tee aides wrote in a re­port.

The find­ings could ex­pose Tar­get to a law­suit from the Fed­er­al Trade Com­mis­sion, which has sued dozens of com­pan­ies in re­cent years for fail­ing to ad­equately pro­tect cus­tom­er data from hack­ers.

Molly Snyder, a Tar­get spokes­wo­man, said the com­pany’s in­vest­ig­a­tion is on­go­ing.

“With the be­ne­fit of hind­sight, we are in­vest­ig­at­ing wheth­er, if dif­fer­ent judg­ments had been made the out­come may have been dif­fer­ent,” she said.

The hack­ers stole cred­it card num­bers for as many as 40 mil­lion Tar­get cus­tom­ers between Nov. 27 and Dec. 15 of last year, ac­cord­ing to the re­tail­er. The hack­ers ob­tained oth­er per­son­al in­form­a­tion such as names and ad­dresses for an­oth­er es­tim­ated 70 mil­lion cus­tom­ers.

The re­port comes ahead of Wed­nes­day’s Sen­ate Com­merce Com­mit­tee hear­ing which will fea­ture testi­mony from John Mul­ligan, Tar­get’s chief fin­an­cial of­ficer, and FTC Chair­wo­man Edith Ramirez.

The re­port de­tails how the hack­ers breached Tar­get’s sys­tem and iden­ti­fies nu­mer­ous points where Tar­get could have pre­vent the theft of its cus­tom­ers’ data.

Tar­get gave ac­cess to its net­work to a small Pennsylvania heat­ing and air con­di­tion­ing vendor, Fazio Mech­an­ic­al Ser­vices, which had “weak se­cur­ity,” ac­cord­ing to the re­port.

The hack­ers used mal­ware to in­filt­rate the vendor and then used the vendor’s cre­den­tials to ac­cess Tar­get’s sys­tem, the in­vestors found. Even then, Tar­get could have dis­rup­ted the hack if it re­spon­ded to its in­tern­al alerts.

“Tar­get ap­pears to have failed to re­spond to mul­tiple warn­ings from the com­pany’s anti-in­tru­sion soft­ware re­gard­ing the es­cape routes the at­tack­ers planned to use to ex­filtrate data from Tar­get’s net­work,” the Sen­ate aides wrote.

The re­port is largely based on the work of journ­al­ist Bri­an Krebs, a story in Bloomberg Busi­nes­s­week and oth­er news ac­counts of the breach. 

In pub­lic fin­an­cial fil­ings, Tar­get has ac­know­ledged that it is un­der in­vest­ig­a­tion by the FTC and state at­tor­neys gen­er­al over the breach.

Sen­ate Com­merce Com­mit­tee Chair­man Jay Rock­e­feller is push­ing le­gis­la­tion that would ex­pand the FTC’s abil­ity to crack down on com­pan­ies for in­ad­equate data se­cur­ity. His bill, the Data Se­cur­ity and Breach No­ti­fic­a­tion Act, would give the FTC the au­thor­ity to set data se­cur­ity rules and the power to fine com­pan­ies for vi­ol­a­tions.

The le­gis­la­tion would also set a na­tion­al stand­ard re­quir­ing com­pan­ies to no­ti­fy cus­tom­ers in the event of a breach.

“While Con­gress de­serves its share of the blame for in­ac­tion, I am in­creas­ingly frus­trated by in­dustry’s disin­genu­ous at­tempts at ne­go­ti­ations,” the West Vir­gin­ia Demo­crat said in a state­ment. “It’s time for in­dustry to work with us on le­gis­la­tion that re­in­forces the ba­sic pro­tec­tions Amer­ic­an con­sumers have a right to count on.”

What We're Following See More »
SEVEN-POINT LEAD IN A FOUR-WAY
Quinnipiac Has Clinton Over 50%
14 minutes ago
THE LATEST

Hillary Clinton leads Donald Trump 51%-41% in a new Quinnipiac poll released today. Her lead shrinks to seven points when the third-party candidates are included. In that scenario, she leads 45%-38%, with Gary Johnson pulling 10% and Jill Stein at 4%.

Source:
PROCEDURES NOT FOLLOWED
Trump Not on Ballot in Minnesota
2 hours ago
THE LATEST
MIGHT STILL ACCEPT FOREIGN AND CORPORATE MONEY
Chelsea to Stay on Board of Clinton Foundation
2 hours ago
THE LATEST

Is the Clinton family backtracking on some of its promises to insulate the White House from the Clinton Foundation? Opposition researchers will certainly try to portray it that way. A foundation spokesman said yesterday that Chelsea Clinton will stay on its board, and that the "foundation’s largest project, the Clinton Health Access Initiative, might continue to accept foreign government and corporate funding."

Source:
INTERCEPT IN MIDDLE EAST
Navy Calls Iranian Ships’ Actions Dangerous, Unprofessional
3 hours ago
THE LATEST

"Four Iranian ships made reckless maneuvers close to a U.S. warship this week, the Pentagon said Thursday, in an incident that officials said could have led to dangerous escalation." The four Iranian vessels engaged in a "high-speed intercept" of a U.S. destroyer in the Strait of Hormuz. A Navy spokesman said the Iranina actions "created a dangerous, harassing situation that could have led to further escalation including additional defensive measures" by the destroyer.

Source:
$300 SAVINGS CARD
Under Pressure, EpiPen Maker Drops Prices
3 hours ago
THE LATEST

Amid public outcry and the threat of investigation by the Senate Judiciary Committee, Mylan has agreed to effectively drop the price of EpiPens. "The company, which did not lower the drug's list price, said it would reduce the patient cost of EpiPen through the use of a savings card, which will cover up to $300 of EpiPen 2-Pak."

Source:
×