Senate Report: Target Could Have Prevented Massive Hack

The retail giant could face a federal lawsuit.

A Target parking lot is empty. (iStock)
Andrea K. Gingerich
Brendan Sasso
March 25, 2014, 1:08 p.m.

Sen­ate in­vest­ig­at­ors ac­cused Tar­get on Tues­day of mak­ing ser­i­ous mis­steps that al­lowed hack­ers to steal mil­lions of cred­it card num­bers from its sys­tem.

Tar­get “missed a num­ber of op­por­tun­it­ies”¦ to stop the at­tack­ers and pre­vent the massive data breach,” the Sen­ate Com­merce Com­mit­tee aides wrote in a re­port.

The find­ings could ex­pose Tar­get to a law­suit from the Fed­er­al Trade Com­mis­sion, which has sued dozens of com­pan­ies in re­cent years for fail­ing to ad­equately pro­tect cus­tom­er data from hack­ers.

Molly Snyder, a Tar­get spokes­wo­man, said the com­pany’s in­vest­ig­a­tion is on­go­ing.

“With the be­ne­fit of hind­sight, we are in­vest­ig­at­ing wheth­er, if dif­fer­ent judg­ments had been made the out­come may have been dif­fer­ent,” she said.

The hack­ers stole cred­it card num­bers for as many as 40 mil­lion Tar­get cus­tom­ers between Nov. 27 and Dec. 15 of last year, ac­cord­ing to the re­tail­er. The hack­ers ob­tained oth­er per­son­al in­form­a­tion such as names and ad­dresses for an­oth­er es­tim­ated 70 mil­lion cus­tom­ers.

The re­port comes ahead of Wed­nes­day’s Sen­ate Com­merce Com­mit­tee hear­ing which will fea­ture testi­mony from John Mul­ligan, Tar­get’s chief fin­an­cial of­ficer, and FTC Chair­wo­man Edith Ramirez.

The re­port de­tails how the hack­ers breached Tar­get’s sys­tem and iden­ti­fies nu­mer­ous points where Tar­get could have pre­vent the theft of its cus­tom­ers’ data.

Tar­get gave ac­cess to its net­work to a small Pennsylvania heat­ing and air con­di­tion­ing vendor, Fazio Mech­an­ic­al Ser­vices, which had “weak se­cur­ity,” ac­cord­ing to the re­port.

The hack­ers used mal­ware to in­filt­rate the vendor and then used the vendor’s cre­den­tials to ac­cess Tar­get’s sys­tem, the in­vestors found. Even then, Tar­get could have dis­rup­ted the hack if it re­spon­ded to its in­tern­al alerts.

“Tar­get ap­pears to have failed to re­spond to mul­tiple warn­ings from the com­pany’s anti-in­tru­sion soft­ware re­gard­ing the es­cape routes the at­tack­ers planned to use to ex­filtrate data from Tar­get’s net­work,” the Sen­ate aides wrote.

The re­port is largely based on the work of journ­al­ist Bri­an Krebs, a story in Bloomberg Busi­nes­s­week and oth­er news ac­counts of the breach. 

In pub­lic fin­an­cial fil­ings, Tar­get has ac­know­ledged that it is un­der in­vest­ig­a­tion by the FTC and state at­tor­neys gen­er­al over the breach.

Sen­ate Com­merce Com­mit­tee Chair­man Jay Rock­e­feller is push­ing le­gis­la­tion that would ex­pand the FTC’s abil­ity to crack down on com­pan­ies for in­ad­equate data se­cur­ity. His bill, the Data Se­cur­ity and Breach No­ti­fic­a­tion Act, would give the FTC the au­thor­ity to set data se­cur­ity rules and the power to fine com­pan­ies for vi­ol­a­tions.

The le­gis­la­tion would also set a na­tion­al stand­ard re­quir­ing com­pan­ies to no­ti­fy cus­tom­ers in the event of a breach.

“While Con­gress de­serves its share of the blame for in­ac­tion, I am in­creas­ingly frus­trated by in­dustry’s disin­genu­ous at­tempts at ne­go­ti­ations,” the West Vir­gin­ia Demo­crat said in a state­ment. “It’s time for in­dustry to work with us on le­gis­la­tion that re­in­forces the ba­sic pro­tec­tions Amer­ic­an con­sumers have a right to count on.”

What We're Following See More »
STAFF PICKS
These (Supposed) Iowa and NH Escorts Tell All
6 hours ago
NATIONAL JOURNAL AFTER DARK

Before we get to the specifics of this exposé about escorts working the Iowa and New Hampshire primary crowds, let’s get three things out of the way: 1.) It’s from Cosmopolitan; 2.) most of the women quoted use fake (if colorful) names; and 3.) again, it’s from Cosmopolitan. That said, here’s what we learned:

  • Business was booming: one escort who says she typically gets two inquiries a weekend got 15 requests in the pre-primary weekend.
  • Their primary season clientele is a bit older than normal—”40s through mid-60s, compared with mostly twentysomething regulars” and “they’ve clearly done this before.”
  • They seemed more nervous than other clients, because “the stakes are higher when you’re working for a possible future president” but “all practiced impeccable manners.”
  • One escort “typically enjoy[s] the company of Democrats more, just because I feel like our views line up a lot more.”
Source:
STATE VS. FEDERAL
Restoring Some Sanity to Encryption
6 hours ago
WHY WE CARE

No matter where you stand on mandating companies to include a backdoor in encryption technologies, it doesn’t make sense to allow that decision to be made on a state level. “The problem with state-level legislation of this nature is that it manages to be both wildly impractical and entirely unenforceable,” writes Brian Barrett at Wired. There is a solution to this problem. “California Congressman Ted Lieu has introduced the ‘Ensuring National Constitutional Rights for Your Private Telecommunications Act of 2016,’ which we’ll call ENCRYPT. It’s a short, straightforward bill with a simple aim: to preempt states from attempting to implement their own anti-encryption policies at a state level.”

Source:
STAFF PICKS
What the Current Crop of Candidates Could Learn from JFK
6 hours ago
WHY WE CARE

Much has been made of David Brooks’s recent New York Times column, in which confesses to missing already the civility and humanity of Barack Obama, compared to who might take his place. In NewYorker.com, Jeffrey Frank reminds us how critical such attributes are to foreign policy. “It’s hard to imagine Kennedy so casually referring to the leader of Russia as a gangster or a thug. For that matter, it’s hard to imagine any president comparing the Russian leader to Hitler [as] Hillary Clinton did at a private fund-raiser. … Kennedy, who always worried that miscalculation could lead to war, paid close attention to the language of diplomacy.”

Source:
STAFF PICKS
Hillary Is Running Against the Bill of 1992
6 hours ago
WHY WE CARE

The New Covenant. The Third Way. The Democratic Leadership Council style. Call it what you will, but whatever centrist triangulation Bill Clinton embraced in 1992, Hillary Clinton wants no part of it in 2016. Writing for Bloomberg, Sasha Issenberg and Margaret Talev explore how Hillary’s campaign has “diverged pointedly” from what made Bill so successful: “For Hillary to survive, Clintonism had to die.” Bill’s positions in 1992—from capital punishment to free trade—“represented a carefully calibrated diversion from the liberal orthodoxy of the previous decade.” But in New Hampshire, Hillary “worked to juggle nostalgia for past Clinton primary campaigns in the state with the fact that the Bill of 1992 or the Hillary of 2008 would likely be a marginal figure within today’s Democratic politics.”

Source:
STAFF PICKS
Trevor Noah Needs to Find His Voice. And Fast.
7 hours ago
WHY WE CARE

At first, “it was pleasant” to see Trevor Noah “smiling away and deeply dimpling in the Stewart seat, the seat that had lately grown gray hairs,” writes The Atlantic‘s James Parker in assessing the new host of the once-indispensable Daily Show. But where Jon Stewart was a heavyweight, Noah is “a very able lightweight, [who] needs time too. But he won’t get any. As a culture, we’re not about to nurture this talent, to give it room to grow. Our patience was exhausted long ago, by some other guy. We’re going to pass judgment and move on. There’s a reason Simon Cowell is so rich. Impress us today or get thee hence. So it comes to this: It’s now or never, Trevor.”

Source:
×