Senate Report: Target Could Have Prevented Massive Hack

The retail giant could face a federal lawsuit.

A Target parking lot is empty. (iStock)
Andrea K. Gingerich
Brendan Sasso
March 25, 2014, 1:08 p.m.

Sen­ate in­vest­ig­at­ors ac­cused Tar­get on Tues­day of mak­ing ser­i­ous mis­steps that al­lowed hack­ers to steal mil­lions of cred­it card num­bers from its sys­tem.

Tar­get “missed a num­ber of op­por­tun­it­ies”¦ to stop the at­tack­ers and pre­vent the massive data breach,” the Sen­ate Com­merce Com­mit­tee aides wrote in a re­port.

The find­ings could ex­pose Tar­get to a law­suit from the Fed­er­al Trade Com­mis­sion, which has sued dozens of com­pan­ies in re­cent years for fail­ing to ad­equately pro­tect cus­tom­er data from hack­ers.

Molly Snyder, a Tar­get spokes­wo­man, said the com­pany’s in­vest­ig­a­tion is on­go­ing.

“With the be­ne­fit of hind­sight, we are in­vest­ig­at­ing wheth­er, if dif­fer­ent judg­ments had been made the out­come may have been dif­fer­ent,” she said.

The hack­ers stole cred­it card num­bers for as many as 40 mil­lion Tar­get cus­tom­ers between Nov. 27 and Dec. 15 of last year, ac­cord­ing to the re­tail­er. The hack­ers ob­tained oth­er per­son­al in­form­a­tion such as names and ad­dresses for an­oth­er es­tim­ated 70 mil­lion cus­tom­ers.

The re­port comes ahead of Wed­nes­day’s Sen­ate Com­merce Com­mit­tee hear­ing which will fea­ture testi­mony from John Mul­ligan, Tar­get’s chief fin­an­cial of­ficer, and FTC Chair­wo­man Edith Ramirez.

The re­port de­tails how the hack­ers breached Tar­get’s sys­tem and iden­ti­fies nu­mer­ous points where Tar­get could have pre­vent the theft of its cus­tom­ers’ data.

Tar­get gave ac­cess to its net­work to a small Pennsylvania heat­ing and air con­di­tion­ing vendor, Fazio Mech­an­ic­al Ser­vices, which had “weak se­cur­ity,” ac­cord­ing to the re­port.

The hack­ers used mal­ware to in­filt­rate the vendor and then used the vendor’s cre­den­tials to ac­cess Tar­get’s sys­tem, the in­vestors found. Even then, Tar­get could have dis­rup­ted the hack if it re­spon­ded to its in­tern­al alerts.

“Tar­get ap­pears to have failed to re­spond to mul­tiple warn­ings from the com­pany’s anti-in­tru­sion soft­ware re­gard­ing the es­cape routes the at­tack­ers planned to use to ex­filtrate data from Tar­get’s net­work,” the Sen­ate aides wrote.

The re­port is largely based on the work of journ­al­ist Bri­an Krebs, a story in Bloomberg Busi­nes­s­week and oth­er news ac­counts of the breach. 

In pub­lic fin­an­cial fil­ings, Tar­get has ac­know­ledged that it is un­der in­vest­ig­a­tion by the FTC and state at­tor­neys gen­er­al over the breach.

Sen­ate Com­merce Com­mit­tee Chair­man Jay Rock­e­feller is push­ing le­gis­la­tion that would ex­pand the FTC’s abil­ity to crack down on com­pan­ies for in­ad­equate data se­cur­ity. His bill, the Data Se­cur­ity and Breach No­ti­fic­a­tion Act, would give the FTC the au­thor­ity to set data se­cur­ity rules and the power to fine com­pan­ies for vi­ol­a­tions.

The le­gis­la­tion would also set a na­tion­al stand­ard re­quir­ing com­pan­ies to no­ti­fy cus­tom­ers in the event of a breach.

“While Con­gress de­serves its share of the blame for in­ac­tion, I am in­creas­ingly frus­trated by in­dustry’s disin­genu­ous at­tempts at ne­go­ti­ations,” the West Vir­gin­ia Demo­crat said in a state­ment. “It’s time for in­dustry to work with us on le­gis­la­tion that re­in­forces the ba­sic pro­tec­tions Amer­ic­an con­sumers have a right to count on.”

What We're Following See More »
LOST BY HALF A PERCENTAGE POINT
Sanders Wants a Recount in Kentucky
42 minutes ago
THE LATEST

Bernie Sanders "signed a letter Tuesday morning requesting a full and complete check and recanvass of the election results in Kentucky ... where he trails Hillary Clinton by less than one-half of 1 percent of the vote. The Sanders campaign said it has asked the Kentucky secretary of state to have election officials review electronic voting machines and absentee ballots from last week's primary in each of the state's 120 counties.

Source:
THE QUESTION
How Much Did the IRS Overpay in Earned Income Tax Credit Benefits?
4 hours ago
THE ANSWER

An estimated $15.6 billion, "according to a Treasury Inspector General for Tax Administration report."

Source:
TIES TO CLINTON GLOBAL INITIATIVE
McAuliffe Under Investigation for Fundraising
4 hours ago
WHY WE CARE

Virginia Gov. Terry McAuliffe (D) “is the subject of an ongoing investigation by the FBI and … the Justice Department” for potentially improper contributions to his 2013 campaign, including while he was a Clinton Global Initiative board member. ... Among the McAuliffe donations that drew the interest of the investigators was $120,000 from” former Chinese legislator Wang Wenliang. “U.S. election law prohibits foreign nationals from donating to … elections. … But Wang holds U.S. permanent resident status.”

Source:
RAISES SEX ASSAULT, VINCE FOSTER
Trump Takes Aim at Bill Clinton
4 hours ago
THE LATEST

"Donald Trump is reviving some of the ugliest political chapters of the 1990s with escalating personal attacks on Bill Clinton's character, part of a concerted effort to smother Hillary Clinton 's campaign message with the weight of decades of controversy. Trump's latest shot came Monday when he released an incendiary Instagram video that includes the voices of two women who accused the former president of sexual assault, underscoring the presumptive Republican nominee's willingness to go far beyond political norms in his critique of his likely Democratic rival. ...In one recent interview, Trump said another topic of potential concern is the suicide of former White House aide Vincent Foster, which remains the focus of intense and far-fetched conspiracy theories on the Internet."

Source:
FUROR AFTER HOUSE OVERSIGHT HEARING
Head of Security for TSA Has Been Reassigned
4 hours ago
THE DETAILS

"The head of security for the Transportation Security Administration, Kelly Hoggan, has been removed from his position after a hearing about the agency's management, the House Oversight Committee says." Deputy assistant administrator Darby LaJoye will take over for Hoggan on a temporary basis.

Source:
×