Advertisement

Target missed multiple data breach warnings, Senate report says

Target's CFO told a Senate committee that the company has taken important steps after a major data breach.

In this January 2014 file photo, Stuart Ingis of Venable LLP, left, speaks with John Mulligan, the chief financial officer of Target, at a Senate Judiciary Committee meeting on Capital Hill in Washington, Jan. 4, 2014. The testimony focused on preventing data breaches and cybercrime comes amid reports of consumers using more cash and less credit in the wake of the widespread theft of credit card data.
In this January 2014 file photo, Stuart Ingis of Venable LLP, left, speaks with John Mulligan, the chief financial officer of Target, at a Senate Judiciary Committee meeting on Capital Hill in Washington, Jan. 4, 2014. The testimony focused on preventing data breaches and cybercrime comes amid reports of consumers using more cash and less credit in the wake of the widespread theft of credit card data. (Colleen Kelly — New York Times/The Minnesota Star Tribune)

WASHINGTON – A Senate committee called out Target Corp. on Wednesday for missteps that some members said contributed to one of the biggest data heists in U.S. history.

Sen. Richard Blumenthal, D-Conn., told the company's chief financial officer that Target missed "multiple warnings" that could have enabled it to thwart the breach of financial and personal information for up to 110 million customers.

"The best technology in the world is useless without good management," Blumenthal said at a hearing of the Senate Commerce, Science and Transportation Committee.

Target Chief Financial Officer John Mulligan assured the committee that the Minneapolis-based company is making it harder for hackers to break into its computer system.

He said there are now more separations between key portions of the company's computer network. The company also has increased its investment in computer software that blocks malicious software from running on its point-of-sale computer terminals. Additionally, Mulligan said Target has added a second layer of authentication for those who want to access its computers.

The moves are aimed at shortcomings exposed in the successful cyberattack.

Blumenthal was not the only senator to criticize Target's handling of the breach. Committee Chairman Jay Rockefeller, D-W.Va., said Target "fell far short" of protecting its customers, based on a report his staff prepared. The report showed missed opportunities for Target to intervene to stop the hacking.

Rockefeller expressed concern that several Target executives may have known about suspicious activity in the computer system in November, a month ahead of the actual data theft.

Advertisement
Advertisement

"In the future, at some point, the CEO and board of directors have to take responsibility," Rockefeller told Mulligan.

The three-hour hearing was Target's third trip to Capitol Hill to explain how it got hacked. But Wednesday's hearing was the first where members of Congress took the company to task for what they considered mistakes.

Those mistakes, according to the committee report, included:

• Target gave network access to a third-party vendor, a small Pennsylvania heating, ventilation and air conditioning company, that did not appear to follow broadly accepted information security practices. The vendor's weak security allowed the attackers to gain a foothold in Target's network.

• Target appears to have failed to respond to multiple automated warnings from the company's anti-intrusion software that the attackers were installing malware on Target's system.

• Attackers who infiltrated Target's network with a vendor credential appear to have successfully moved from less sensitive areas of Target's network to areas storing consumer data, suggesting that Target failed to properly isolate its most sensitive network assets.

Advertisement

Mulligan told the committee that "intruders" apparently "entered our system Nov. 12." "We now believe that some intruder activity was detected by our computer security systems, logged and surfaced to the [Security Operations Center] and evaluated by our security officials," Mulligan continued.

"We are now asking hard questions regarding the judgments that were made at that time."

The Senate report used a so-called "Kill Chain" model to assess when and how Target could have thwarted the cyberattack that took place during the 2013 holiday shopping season and hurt the company's sales, public image and share price.

Target's chief technology officer, Beth Jacob, resigned in the wake of the data breach.

The amount of fraud that resulted from the data theft remains unclear. Mulligan repeated his testimony from two February congressional hearings that Target has seen no appreciable level of fraud in the debit and credit cards the company issues.

Ellen Richey, Visa's chief risk officer, said her company, one of the country's biggest credit card payment networks, has not seen the expected levels of fraud from the breach. Richey credited that to Target's public notification of the cyberattack in December.

Advertisement
Advertisement

Richey also took the opportunity to promote more-secure card technology that uses a computer chip embedded in cards to protect information.

The Senate committee report is based largely on media stories and reports on the breach from various IT security vendors, and does not reveal new details about how the attack was carried out. However, it does clearly pinpoint at least eight steps Target could have taken to thwart the attack, such as requiring two-factor authentication for all of its contractors when they log in to Target's system.

Another protective step would have been strong firewalls between the retailer's internal systems and the outside Internet, it said.

Missed warnings from "anti-intrusion software" on Nov. 30 and Dec. 2 allowed hackers to continue an attack that began Nov. 12, the report said.

The Senate report also raises questions about the alleged sophistication of the hackers. Target has claimed from the time it made the data breach public that it was victimized by a highly sophisticated network of cyberthieves.

But subsequent analysis by Brian Krebs, the tech blogger who broke the story of the breach, characterized the malware used in the attack as easily available on the black market for $1,800 to $2,300. Bloomberg Businessweek cited an independent cybersecurity expert who called the attack "absolutely unsophisticated and uninteresting," the Senate report pointed out.

Advertisement
Advertisement

Meanwhile, "Target's FireEye software reportedly did detect the data exfiltration malware and decoded the destination of servers on which data for millions of stolen credit cards were stored for days at a time," the report said. "Acting on this information could have stopped the exfiltration, not only at this last stage, but especially during the "delivery step on the kill chain."

One independent IT security expert who reviewed the report said the two-month time frame for the attack on Target simply doesn't make sense to him. It's too fast for a "blind" attacker or attackers to accomplish, said Jeff Hall, a senior security consultant in the Twin Cities for FishNet Security, which is based in Overland Park, Kan.

"I don't buy the timeline," Hall said. "It's too short if this was truly a 'random' attack as it seems to be portrayed. In order for this timeline to work, the attackers would have had to had insider help, most likely a contractor that had worked on Target's systems."

The breach remains the subject of multiple investigations and dozens of lawsuits.

jim.spencer@startribune.com • 202-383-6123 jennifer.bjorhus@startribune.com • 612-673-4683

John J. Mulligan, Target Corporationís chief financial officer and executive vice president, testifies before the Senate Commerce Committee about recent cyber attacks on Target retail stores and security breaches of consumersí financial information, at the Capitol in Washington, Wednesday, March 26, 2014. During the holiday shopping season, personal data from millions of Target customers was stolen by hackers who targeted credit card terminals in its stores. (AP Photo/J. Scott Applewhi
Target’s John Mulligan on how Target reacted to intruder alerts: “We are now asking hard questions regarding the judgments that were made at that time.” (The Minnesota Star Tribune)
Target Corporation Vice President and chief financial officer John Mulligan, second from left, attends a U.S. Senate Committee on Commerce, Science and Transportation hearing on protecting personal consumer information from cyber attacks and data breaches on Capitol Hill in Washington, March 26, 2014. From left: University of Maryland President Wallace Loh, Mulligan, Visa Chief Enterprise Risk Officer Ellen Richey, Marsh & McLennan Executive Vice President and General Counsel Peter Beshar, and E
Target Corp. Chief Financial Officer John Mulligan, second from left, at a U.S. Senate committee hearing Wednesday, said Target is making it more difficult for hackers to break into its system. (The Minnesota Star Tribune)
Advertisement
about the writers

about the writers

Jim Spencer

Washington Correspondent

Washington correspondent Jim Spencer examines the impact of federal politics and policy on Minnesota businesses, especially the medical technology, food distribution, farming, manufacturing, retail and health insurance industries.  

See Moreicon

Jennifer Bjorhus

Reporter

Jennifer Bjorhus  is a reporter covering the environment for the Star Tribune. 

See Moreicon

More from Business

See More
card image

The discontinuation of a device treating a condition causing heart failure fueled millions in restructuring costs. It didn’t stop the big-in-Minnesota company from increasing guidance again.

card image
Racks of servers at the new Amazon Web Services facility in New Carlisle, Ind., where the tech giant plans to build around 30 data centers, on June 3, 2025.
Advertisement
Advertisement

To leave a comment, .

Advertisement