Senate Report: Target Could Have Prevented Massive Hack

The retail giant could face a federal lawsuit.

A Target parking lot is empty. (iStock)
Andrea K. Gingerich
Brendan Sasso
Add to Briefcase
See more stories about...
Brendan Sasso
March 25, 2014, 1:08 p.m.

Sen­ate in­vest­ig­at­ors ac­cused Tar­get on Tues­day of mak­ing ser­i­ous mis­steps that al­lowed hack­ers to steal mil­lions of cred­it card num­bers from its sys­tem.

Tar­get “missed a num­ber of op­por­tun­it­ies”¦ to stop the at­tack­ers and pre­vent the massive data breach,” the Sen­ate Com­merce Com­mit­tee aides wrote in a re­port.

The find­ings could ex­pose Tar­get to a law­suit from the Fed­er­al Trade Com­mis­sion, which has sued dozens of com­pan­ies in re­cent years for fail­ing to ad­equately pro­tect cus­tom­er data from hack­ers.

Molly Snyder, a Tar­get spokes­wo­man, said the com­pany’s in­vest­ig­a­tion is on­go­ing.

“With the be­ne­fit of hind­sight, we are in­vest­ig­at­ing wheth­er, if dif­fer­ent judg­ments had been made the out­come may have been dif­fer­ent,” she said.

The hack­ers stole cred­it card num­bers for as many as 40 mil­lion Tar­get cus­tom­ers between Nov. 27 and Dec. 15 of last year, ac­cord­ing to the re­tail­er. The hack­ers ob­tained oth­er per­son­al in­form­a­tion such as names and ad­dresses for an­oth­er es­tim­ated 70 mil­lion cus­tom­ers.

The re­port comes ahead of Wed­nes­day’s Sen­ate Com­merce Com­mit­tee hear­ing which will fea­ture testi­mony from John Mul­ligan, Tar­get’s chief fin­an­cial of­ficer, and FTC Chair­wo­man Edith Ramirez.

The re­port de­tails how the hack­ers breached Tar­get’s sys­tem and iden­ti­fies nu­mer­ous points where Tar­get could have pre­vent the theft of its cus­tom­ers’ data.

Tar­get gave ac­cess to its net­work to a small Pennsylvania heat­ing and air con­di­tion­ing vendor, Fazio Mech­an­ic­al Ser­vices, which had “weak se­cur­ity,” ac­cord­ing to the re­port.

The hack­ers used mal­ware to in­filt­rate the vendor and then used the vendor’s cre­den­tials to ac­cess Tar­get’s sys­tem, the in­vestors found. Even then, Tar­get could have dis­rup­ted the hack if it re­spon­ded to its in­tern­al alerts.

“Tar­get ap­pears to have failed to re­spond to mul­tiple warn­ings from the com­pany’s anti-in­tru­sion soft­ware re­gard­ing the es­cape routes the at­tack­ers planned to use to ex­filtrate data from Tar­get’s net­work,” the Sen­ate aides wrote.

The re­port is largely based on the work of journ­al­ist Bri­an Krebs, a story in Bloomberg Busi­nes­s­week and oth­er news ac­counts of the breach. 

In pub­lic fin­an­cial fil­ings, Tar­get has ac­know­ledged that it is un­der in­vest­ig­a­tion by the FTC and state at­tor­neys gen­er­al over the breach.

Sen­ate Com­merce Com­mit­tee Chair­man Jay Rock­e­feller is push­ing le­gis­la­tion that would ex­pand the FTC’s abil­ity to crack down on com­pan­ies for in­ad­equate data se­cur­ity. His bill, the Data Se­cur­ity and Breach No­ti­fic­a­tion Act, would give the FTC the au­thor­ity to set data se­cur­ity rules and the power to fine com­pan­ies for vi­ol­a­tions.

The le­gis­la­tion would also set a na­tion­al stand­ard re­quir­ing com­pan­ies to no­ti­fy cus­tom­ers in the event of a breach.

“While Con­gress de­serves its share of the blame for in­ac­tion, I am in­creas­ingly frus­trated by in­dustry’s disin­genu­ous at­tempts at ne­go­ti­ations,” the West Vir­gin­ia Demo­crat said in a state­ment. “It’s time for in­dustry to work with us on le­gis­la­tion that re­in­forces the ba­sic pro­tec­tions Amer­ic­an con­sumers have a right to count on.”

What We're Following See More »
CFPB Decision May Reverberate to Other Agencies
1 hours ago

"A federal appeals court's decision that declared the Consumer Financial Protection Bureau an arm of the White House relies on a novel interpretation of the constitution's separation of powers clause that could have broader effects on how other regulators" like the Office of the Comptroller of the Currency and the Federal Housing Finance Agency.

Morning Consult Poll: Clinton Decisively Won Debate
1 hours ago

"According to a new POLITICO/Morning Consult poll, the first national post-debate survey, 43 percent of registered voters said the Democratic candidate won, compared with 26 percent who opted for the Republican Party’s standard bearer. Her 6-point lead over Trump among likely voters is unchanged from our previous survey: Clinton still leads Trump 42 percent to 36 percent in the race for the White House, with Libertarian nominee Gary Johnson taking 9 percent of the vote."

Twitter Bots Dominated First Debate
2 hours ago

Twitter bots, "automated social media accounts that interact with other users," accounted for a large part of the online discussion during the first presidential debate. Bots made up 22 percent of conversation about Hillary Clinton on the social media platform, and a whopping one third of Twitter conversation about Donald Trump.

Center for Public Integrity to Spin Off Journalism Arm
2 hours ago

The International Consortium of Investigative Journalists, the nonprofit that published the Panama Papers earlier this year, is being spun off from its parent organization, the Center for Public Integrity. According to a statement, "CPI’s Board of Directors has decided that enabling the ICIJ to chart its own course will help both journalistic teams build on the massive impact they have had as one organization."

EPA Didn’t Warn Flint Residents Soon Enough
3 hours ago

According to a new report, the Environmental Protection Agency waited too long before informing the residents of Flint, Mich. that their water was contaminated with lead. Written by the EPA's inspector general, it places blame squarely at the foot of the agency itself, saying it had enough information by June 2015 to issue an emergency order. However, the order wasn't issued until the end of January 2016.


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.