Senate Report: Target Could Have Prevented Massive Hack

The retail giant could face a federal lawsuit.

A Target parking lot is empty. (iStock)
Andrea K. Gingerich
Brendan Sasso
See more stories about...
Brendan Sasso
March 25, 2014, 1:08 p.m.

Sen­ate in­vest­ig­at­ors ac­cused Tar­get on Tues­day of mak­ing ser­i­ous mis­steps that al­lowed hack­ers to steal mil­lions of cred­it card num­bers from its sys­tem.

Tar­get “missed a num­ber of op­por­tun­it­ies”¦ to stop the at­tack­ers and pre­vent the massive data breach,” the Sen­ate Com­merce Com­mit­tee aides wrote in a re­port.

The find­ings could ex­pose Tar­get to a law­suit from the Fed­er­al Trade Com­mis­sion, which has sued dozens of com­pan­ies in re­cent years for fail­ing to ad­equately pro­tect cus­tom­er data from hack­ers.

Molly Snyder, a Tar­get spokes­wo­man, said the com­pany’s in­vest­ig­a­tion is on­go­ing.

“With the be­ne­fit of hind­sight, we are in­vest­ig­at­ing wheth­er, if dif­fer­ent judg­ments had been made the out­come may have been dif­fer­ent,” she said.

The hack­ers stole cred­it card num­bers for as many as 40 mil­lion Tar­get cus­tom­ers between Nov. 27 and Dec. 15 of last year, ac­cord­ing to the re­tail­er. The hack­ers ob­tained oth­er per­son­al in­form­a­tion such as names and ad­dresses for an­oth­er es­tim­ated 70 mil­lion cus­tom­ers.

The re­port comes ahead of Wed­nes­day’s Sen­ate Com­merce Com­mit­tee hear­ing which will fea­ture testi­mony from John Mul­ligan, Tar­get’s chief fin­an­cial of­ficer, and FTC Chair­wo­man Edith Ramirez.

The re­port de­tails how the hack­ers breached Tar­get’s sys­tem and iden­ti­fies nu­mer­ous points where Tar­get could have pre­vent the theft of its cus­tom­ers’ data.

Tar­get gave ac­cess to its net­work to a small Pennsylvania heat­ing and air con­di­tion­ing vendor, Fazio Mech­an­ic­al Ser­vices, which had “weak se­cur­ity,” ac­cord­ing to the re­port.

The hack­ers used mal­ware to in­filt­rate the vendor and then used the vendor’s cre­den­tials to ac­cess Tar­get’s sys­tem, the in­vestors found. Even then, Tar­get could have dis­rup­ted the hack if it re­spon­ded to its in­tern­al alerts.

“Tar­get ap­pears to have failed to re­spond to mul­tiple warn­ings from the com­pany’s anti-in­tru­sion soft­ware re­gard­ing the es­cape routes the at­tack­ers planned to use to ex­filtrate data from Tar­get’s net­work,” the Sen­ate aides wrote.

The re­port is largely based on the work of journ­al­ist Bri­an Krebs, a story in Bloomberg Busi­nes­s­week and oth­er news ac­counts of the breach. 

In pub­lic fin­an­cial fil­ings, Tar­get has ac­know­ledged that it is un­der in­vest­ig­a­tion by the FTC and state at­tor­neys gen­er­al over the breach.

Sen­ate Com­merce Com­mit­tee Chair­man Jay Rock­e­feller is push­ing le­gis­la­tion that would ex­pand the FTC’s abil­ity to crack down on com­pan­ies for in­ad­equate data se­cur­ity. His bill, the Data Se­cur­ity and Breach No­ti­fic­a­tion Act, would give the FTC the au­thor­ity to set data se­cur­ity rules and the power to fine com­pan­ies for vi­ol­a­tions.

The le­gis­la­tion would also set a na­tion­al stand­ard re­quir­ing com­pan­ies to no­ti­fy cus­tom­ers in the event of a breach.

“While Con­gress de­serves its share of the blame for in­ac­tion, I am in­creas­ingly frus­trated by in­dustry’s disin­genu­ous at­tempts at ne­go­ti­ations,” the West Vir­gin­ia Demo­crat said in a state­ment. “It’s time for in­dustry to work with us on le­gis­la­tion that re­in­forces the ba­sic pro­tec­tions Amer­ic­an con­sumers have a right to count on.”

What We're Following See More »
THE QUESTION
How Many People Protested in Philly Yesterday?
1 hours ago
THE ANSWER

About 5,500, according to official estimates. "The Monday figures marked a large increase from the protests at the Republican National Convention in Cleveland, where even the largest protests only drew a couple of hundred demonstrators. But it’s a far cry from the 35,000 to 50,000 that Philadelphia city officials initially expected."

Source:
NO BATTLEGROUND STATES LEAN TRUMP
NY Times’ Upshot Gives Clinton 68% Chance to Win
1 hours ago
THE LATEST

Only a day after FiveThirtyEight's Now Cast gave Donald Trump a 57% chance of winning, the New York Times' Upshot fires back with its own analysis that shows Hillary Clinton with a 68% chance to be the next president. Its model "calculates win probabilities for each state," which incorporate recent polls plus "a state's past election results and national polling." Notably, all of the battleground states that "vote like the country as a whole" either lean toward Clinton or are toss-ups. None lean toward Trump.

Source:
HOLCOMB IS A FORMER TOP AIDE
Indiana Lt. Gov. Tapped to Run for Pence’s Seat
2 hours ago
THE DETAILS

On the second ballot, the Indiana Republican Party's Central Committee tapped Lt. Gov. Eric Holcomb as their nominee to succeed Gov. Mike Pence this fall. "Holcomb was a top aide to former Gov. Mitch Daniels and Sen. Dan Coats and a former chairman of the state Republican Party."

Source:
AFTER ROLL CALL VOTE
Sanders May Officially Nominate Clinton
3 hours ago
THE LATEST

"Negotiations are underway to have Bernie Sanders officially nominate Hillary Clinton for president at the Democratic National Convention on Tuesday night, a move that would further signal party unity. According to a source familiar with the talks, the Vermont senator would nominate the presumptive Democratic nominee after the roll call vote."

Source:
THE REVOLUTION CONTINUES
Sanders to Channel His Movement into Local Races
4 hours ago
THE DETAILS

Bernie Sanders said he'll begin pivoting his campaign to an organization designed to help candidates at the local level around the country. At a breakfast for the Wisconsin delegation to the DNC this morning, he said the new group will "bring people into the political process around a progressive agenda," as it supports candidates "running for school board, for city council, for state legislature."

Source:
×