Target missed multiple data breach warnings, Senate report says

WASHINGTON – A Senate committee called out Target Corp. on Wednesday for missteps that some members said contributed to one of the biggest data heists in U.S. history.

Sen. Richard Blumenthal, D-Conn., told the company's chief financial officer that Target missed "multiple warnings" that could have enabled it to thwart the breach of financial and personal information for up to 110 million customers.

"The best technology in the world is useless without good management," Blumenthal said at a hearing of the Senate Commerce, Science and Transportation Committee.

Target Chief Financial Officer John Mulligan assured the committee that the Minneapolis-based company is making it harder for hackers to break into its computer system.

He said there are now more separations between key portions of the company's computer network. The company also has increased its investment in computer software that blocks malicious software from running on its point-of-sale computer terminals. Additionally, Mulligan said Target has added a second layer of authentication for those who want to access its computers.

The moves are aimed at shortcomings exposed in the successful cyberattack.

Blumenthal was not the only senator to criticize Target's handling of the breach. Committee Chairman Jay Rockefeller, D-W.Va., said Target "fell far short" of protecting its customers, based on a report his staff prepared. The report showed missed opportunities for Target to intervene to stop the hacking.

Rockefeller expressed concern that several Target executives may have known about suspicious activity in the computer system in November, a month ahead of the actual data theft.

"In the future, at some point, the CEO and board of directors have to take responsibility," Rockefeller told Mulligan.

The three-hour hearing was Target's third trip to Capitol Hill to explain how it got hacked. But Wednesday's hearing was the first where members of Congress took the company to task for what they considered mistakes.

Those mistakes, according to the committee report, included:

• Target gave network access to a third-party vendor, a small Pennsylvania heating, ventilation and air conditioning company, that did not appear to follow broadly accepted information security practices. The vendor's weak security allowed the attackers to gain a foothold in Target's network.

• Target appears to have failed to respond to multiple automated warnings from the company's anti-intrusion software that the attackers were installing malware on Target's system.

• Attackers who infiltrated Target's network with a vendor credential appear to have successfully moved from less sensitive areas of Target's network to areas storing consumer data, suggesting that Target failed to properly isolate its most sensitive network assets.

Mulligan told the committee that "intruders" apparently "entered our system Nov. 12." "We now believe that some intruder activity was detected by our computer security systems, logged and surfaced to the [Security Operations Center] and evaluated by our security officials," Mulligan continued.

"We are now asking hard questions regarding the judgments that were made at that time."

The Senate report used a so-called "Kill Chain" model to assess when and how Target could have thwarted the cyberattack that took place during the 2013 holiday shopping season and hurt the company's sales, public image and share price.

Target's chief technology officer, Beth Jacob, resigned in the wake of the data breach.

The amount of fraud that resulted from the data theft remains unclear. Mulligan repeated his testimony from two February congressional hearings that Target has seen no appreciable level of fraud in the debit and credit cards the company issues.

Ellen Richey, Visa's chief risk officer, said her company, one of the country's biggest credit card payment networks, has not seen the expected levels of fraud from the breach. Richey credited that to Target's public notification of the cyberattack in December.

Richey also took the opportunity to promote more-secure card technology that uses a computer chip embedded in cards to protect information.

The Senate committee report is based largely on media stories and reports on the breach from various IT security vendors, and does not reveal new details about how the attack was carried out. However, it does clearly pinpoint at least eight steps Target could have taken to thwart the attack, such as requiring two-factor authentication for all of its contractors when they log in to Target's system.

Another protective step would have been strong firewalls between the retailer's internal systems and the outside Internet, it said.

Missed warnings from "anti-intrusion software" on Nov. 30 and Dec. 2 allowed hackers to continue an attack that began Nov. 12, the report said.

The Senate report also raises questions about the alleged sophistication of the hackers. Target has claimed from the time it made the data breach public that it was victimized by a highly sophisticated network of cyberthieves.

But subsequent analysis by Brian Krebs, the tech blogger who broke the story of the breach, characterized the malware used in the attack as easily available on the black market for $1,800 to $2,300. Bloomberg Businessweek cited an independent cybersecurity expert who called the attack "absolutely unsophisticated and uninteresting," the Senate report pointed out.

Meanwhile, "Target's FireEye software reportedly did detect the data exfiltration malware and decoded the destination of servers on which data for millions of stolen credit cards were stored for days at a time," the report said. "Acting on this information could have stopped the exfiltration, not only at this last stage, but especially during the "delivery step on the kill chain."

One independent IT security expert who reviewed the report said the two-month time frame for the attack on Target simply doesn't make sense to him. It's too fast for a "blind" attacker or attackers to accomplish, said Jeff Hall, a senior security consultant in the Twin Cities for FishNet Security, which is based in Overland Park, Kan.

"I don't buy the timeline," Hall said. "It's too short if this was truly a 'random' attack as it seems to be portrayed. In order for this timeline to work, the attackers would have had to had insider help, most likely a contractor that had worked on Target's systems."

The breach remains the subject of multiple investigations and dozens of lawsuits.

jim.spencer@startribune.com • 202-383-6123 jennifer.bjorhus@startribune.com • 612-673-4683