Senate Report: Target Could Have Prevented Massive Hack

The retail giant could face a federal lawsuit.

A Target parking lot is empty. (iStock)
Andrea K. Gingerich
Brendan Sasso
March 25, 2014, 1:08 p.m.

Sen­ate in­vest­ig­at­ors ac­cused Tar­get on Tues­day of mak­ing ser­i­ous mis­steps that al­lowed hack­ers to steal mil­lions of cred­it card num­bers from its sys­tem.

Tar­get “missed a num­ber of op­por­tun­it­ies”¦ to stop the at­tack­ers and pre­vent the massive data breach,” the Sen­ate Com­merce Com­mit­tee aides wrote in a re­port.

The find­ings could ex­pose Tar­get to a law­suit from the Fed­er­al Trade Com­mis­sion, which has sued dozens of com­pan­ies in re­cent years for fail­ing to ad­equately pro­tect cus­tom­er data from hack­ers.

Molly Snyder, a Tar­get spokes­wo­man, said the com­pany’s in­vest­ig­a­tion is on­go­ing.

“With the be­ne­fit of hind­sight, we are in­vest­ig­at­ing wheth­er, if dif­fer­ent judg­ments had been made the out­come may have been dif­fer­ent,” she said.

The hack­ers stole cred­it card num­bers for as many as 40 mil­lion Tar­get cus­tom­ers between Nov. 27 and Dec. 15 of last year, ac­cord­ing to the re­tail­er. The hack­ers ob­tained oth­er per­son­al in­form­a­tion such as names and ad­dresses for an­oth­er es­tim­ated 70 mil­lion cus­tom­ers.

The re­port comes ahead of Wed­nes­day’s Sen­ate Com­merce Com­mit­tee hear­ing which will fea­ture testi­mony from John Mul­ligan, Tar­get’s chief fin­an­cial of­ficer, and FTC Chair­wo­man Edith Ramirez.

The re­port de­tails how the hack­ers breached Tar­get’s sys­tem and iden­ti­fies nu­mer­ous points where Tar­get could have pre­vent the theft of its cus­tom­ers’ data.

Tar­get gave ac­cess to its net­work to a small Pennsylvania heat­ing and air con­di­tion­ing vendor, Fazio Mech­an­ic­al Ser­vices, which had “weak se­cur­ity,” ac­cord­ing to the re­port.

The hack­ers used mal­ware to in­filt­rate the vendor and then used the vendor’s cre­den­tials to ac­cess Tar­get’s sys­tem, the in­vestors found. Even then, Tar­get could have dis­rup­ted the hack if it re­spon­ded to its in­tern­al alerts.

“Tar­get ap­pears to have failed to re­spond to mul­tiple warn­ings from the com­pany’s anti-in­tru­sion soft­ware re­gard­ing the es­cape routes the at­tack­ers planned to use to ex­filtrate data from Tar­get’s net­work,” the Sen­ate aides wrote.

The re­port is largely based on the work of journ­al­ist Bri­an Krebs, a story in Bloomberg Busi­nes­s­week and oth­er news ac­counts of the breach. 

In pub­lic fin­an­cial fil­ings, Tar­get has ac­know­ledged that it is un­der in­vest­ig­a­tion by the FTC and state at­tor­neys gen­er­al over the breach.

Sen­ate Com­merce Com­mit­tee Chair­man Jay Rock­e­feller is push­ing le­gis­la­tion that would ex­pand the FTC’s abil­ity to crack down on com­pan­ies for in­ad­equate data se­cur­ity. His bill, the Data Se­cur­ity and Breach No­ti­fic­a­tion Act, would give the FTC the au­thor­ity to set data se­cur­ity rules and the power to fine com­pan­ies for vi­ol­a­tions.

The le­gis­la­tion would also set a na­tion­al stand­ard re­quir­ing com­pan­ies to no­ti­fy cus­tom­ers in the event of a breach.

“While Con­gress de­serves its share of the blame for in­ac­tion, I am in­creas­ingly frus­trated by in­dustry’s disin­genu­ous at­tempts at ne­go­ti­ations,” the West Vir­gin­ia Demo­crat said in a state­ment. “It’s time for in­dustry to work with us on le­gis­la­tion that re­in­forces the ba­sic pro­tec­tions Amer­ic­an con­sumers have a right to count on.”

What We're Following See More »
STAFF PICKS
When It Comes to Mining Asteroids, Technology Is Only the First Problem
19 hours ago
WHY WE CARE

Foreign Policy takes a look at the future of mining the estimated "100,000 near-Earth objects—including asteroids and comets—in the neighborhood of our planet. Some of these NEOs, as they’re called, are small. Others are substantial and potentially packed full of water and various important minerals, such as nickel, cobalt, and iron. One day, advocates believe, those objects will be tapped by variations on the equipment used in the coal mines of Kentucky or in the diamond mines of Africa. And for immense gain: According to industry experts, the contents of a single asteroid could be worth trillions of dollars." But the technology to get us there is only the first step. Experts say "a multinational body might emerge" to manage rights to NEOs, as well as a body of law, including an international court.

Source:
STAFF PICKS
Obama Reflects on His Economic Record
20 hours ago
WHY WE CARE

Not to be outdone by Jeffrey Goldberg's recent piece in The Atlantic about President Obama's foreign policy, the New York Times Magazine checks in with a longread on the president's economic legacy. In it, Obama is cognizant that the economic reality--73 straight months of growth--isn't matched by public perceptions. Some of that, he says, is due to a constant drumbeat from the right that "that denies any progress." But he also accepts some blame himself. “I mean, the truth of the matter is that if we had been able to more effectively communicate all the steps we had taken to the swing voter,” he said, “then we might have maintained a majority in the House or the Senate.”

Source:
STAFF PICKS
Reagan Families, Allies Lash Out at Will Ferrell
21 hours ago
WHY WE CARE

Ronald Reagan's children and political allies took to the media and Twitter this week to chide funnyman Will Ferrell for his plans to play a dementia-addled Reagan in his second term in a new comedy entitled Reagan. In an open letter, Reagan's daughter Patti Davis tells Ferrell, who's also a producer on the movie, “Perhaps for your comedy you would like to visit some dementia facilities. I have—I didn’t find anything comedic there, and my hope would be that if you’re a decent human being, you wouldn’t either.” Michael Reagan, the president's son, tweeted, "What an Outrag....Alzheimers is not joke...It kills..You should be ashamed all of you." And former Rep. Joe Walsh called it an example of "Hollywood taking a shot at conservatives again."

Source:
PEAK CONFIDENCE
Clinton No Longer Running Primary Ads
1 days ago
WHY WE CARE

In a sign that she’s ready to put a longer-than-ex­pec­ted primary battle be­hind her, former Sec­ret­ary of State Hil­lary Clin­ton (D) is no longer go­ing on the air in up­com­ing primary states. “Team Clin­ton hasn’t spent a single cent in … Cali­for­nia, In­di­ana, Ken­tucky, Ore­gon and West Vir­gin­ia, while” Sen. Bernie Sanders’ (I-VT) “cam­paign has spent a little more than $1 mil­lion in those same states.” Meanwhile, Sen. Jeff Merkley (D-OR), Sanders’ "lone back­er in the Sen­ate, said the can­did­ate should end his pres­id­en­tial cam­paign if he’s los­ing to Hil­lary Clin­ton after the primary sea­son con­cludes in June, break­ing sharply with the can­did­ate who is vow­ing to take his in­sur­gent bid to the party con­ven­tion in Phil­adelphia.”

Source:
CITIZENS UNITED PT. 2?
Movie Based on ‘Clinton Cash’ to Debut at Cannes
1 days ago
WHY WE CARE

The team behind the bestselling "Clinton Cash"—author Peter Schweizer and Breitbart's Stephen Bannon—is turning the book into a movie that will have its U.S. premiere just before the Democratic National Convention this summer. The film will get its global debut "next month in Cannes, France, during the Cannes Film Festival. (The movie is not a part of the festival, but will be shown at a screening arranged for distributors)." Bloomberg has a trailer up, pointing out that it's "less Ken Burns than Jerry Bruckheimer, featuring blood-drenched money, radical madrassas, and ominous footage of the Clintons."

Source:
×