Target’s CFO told a Senate committee that the company has taken important steps after a major data breach.
In this January 2014 file photo, Stuart Ingis of Venable LLP, left, speaks with John Mulligan, the chief financial officer of Target, at a Senate Judiciary Committee meeting on Capital Hill in Washington, Jan. 4, 2014. The testimony focused on preventing data breaches and cybercrime comes amid reports of consumers using more cash and less credit in the wake of the widespread theft of credit card data.
WASHINGTON – A Senate committee called out Target Corp. on Wednesday for missteps that some members said contributed to one of the biggest data heists in U.S. history.
Sen. Richard Blumenthal, D-Conn., told the company’s chief financial officer that Target missed “multiple warnings” that could have enabled it to thwart the breach of financial and personal information for up to 110 million customers.
“The best technology in the world is useless without good management,” Blumenthal said at a hearing of the Senate Commerce, Science and Transportation Committee.
Target Chief Financial Officer John Mulligan assured the committee that the Minneapolis-based company is making it harder for hackers to break into its computer system.
He said there are now more separations between key portions of the company’s computer network. The company also has increased its investment in computer software that blocks malicious software from running on its point-of-sale computer terminals. Additionally, Mulligan said Target has added a second layer of authentication for those who want to access its computers.
The moves are aimed at shortcomings exposed in the successful cyberattack.
Blumenthal was not the only senator to criticize Target’s handling of the breach. Committee Chairman Jay Rockefeller, D-W.Va., said Target “fell far short” of protecting its customers, based on a report his staff prepared. The report showed missed opportunities for Target to intervene to stop the hacking.
Rockefeller expressed concern that several Target executives may have known about suspicious activity in the computer system in November, a month ahead of the actual data theft.
“In the future, at some point, the CEO and board of directors have to take responsibility,” Rockefeller told Mulligan.
The three-hour hearing was Target’s third trip to Capitol Hill to explain how it got hacked. But Wednesday’s hearing was the first where members of Congress took the company to task for what they considered mistakes.
Those mistakes, according to the committee report, included:
• Target gave network access to a third-party vendor, a small Pennsylvania heating, ventilation and air conditioning company, that did not appear to follow broadly accepted information security practices. The vendor’s weak security allowed the attackers to gain a foothold in Target’s network.
• Target appears to have failed to respond to multiple automated warnings from the company’s anti-intrusion software that the attackers were installing malware on Target’s system.
• Attackers who infiltrated Target’s network with a vendor credential appear to have successfully moved from less sensitive areas of Target’s network to areas storing consumer data, suggesting that Target failed to properly isolate its most sensitive network assets.
Mulligan told the committee that “intruders” apparently “entered our system Nov. 12.” “We now believe that some intruder activity was detected by our computer security systems, logged and surfaced to the [Security Operations Center] and evaluated by our security officials,” Mulligan continued.
“We are now asking hard questions regarding the judgments that were made at that time.”
The Senate report used a so-called “Kill Chain” model to assess when and how Target could have thwarted the cyberattack that took place during the 2013 holiday shopping season and hurt the company’s sales, public image and share price.
Target’s chief technology officer, Beth Jacob, resigned in the wake of the data breach.