Report: Target missed multiple breach warnings

By

Published:

 

WASHINGTON — Target Corp. assured a Senate committee Wednesday that it is making it harder for hackers to break into its computer system after one of the biggest data heists in U.S. history.

Target CFO John Mulligan told members of the Senate Commerce, Science and Transportation Committee that there are now more separations between key portions of the company’s computer network. The company has also increased investment in computer software that blocks malicious software from running on its point-of-sale computer terminals. Additionally, Mulligan said Target has added a second layer of authentication for those who want to access its computers.

The moves are aimed at shortcomings exposed in the theft of financial and personal data from up to 110 million customers in one of the nation’s worst consumer data breaches.

Late Tuesday, the commerce committee released a report that said Target missed multiple opportunities to stop the consumer data breach.

Target’s missteps, according to the report, included:

• “Target gave network access to a third-party vendor, a small Pennsylvania HVAC company, that did not appear to follow broadly accepted information security practices. The vendor’s weak security allowed the attackers to gain a foothold in Target’s network.

• “Target appears to have failed to respond to multiple automated warnings from the company’s anti-intrusion software that the attackers were installing malware on Target’s system.

• “Attackers who infiltrated Target’s network with a vendor credential appear to have successfully moved from less-sensitive areas of Target’s network to areas storing consumer data, suggesting that Target failed to properly isolate its most sensitive network assets.”

Mulligan told the committee that “intruders” apparently “entered our system Nov. 12.” “We now believe that some intruder activity was detected by our computer security systems, logged and surfaced to the (Security Operations Center) and evaluated by our security officials,” Mulligan continued.

“We are now asking hard questions regarding the judgments that were made at that time.”

The company is studying whether it had “the right personnel in the right positions.”

Commerce committee chair Sen. Jay Rockefeller, D-W.Va., had strong words for Target in an opening statement, saying the company “fell far short” of adequately protecting customers’ private information. Target’s contention that it met industry data security standards “wasn’t enough,” Rockefeller added.

The Senate report used what’s called a “kill chain” model to assess when and how Target could have thwarted the cyberattack that took place during the 2013 holiday shopping season and hurt the company’s sales, public image and share price.

Target’s chief information technology officer, Beth Jacob, resigned after the data breach was revealed.

The amount of fraud that resulted from the data theft remains unclear. Mulligan repeated his testimony from two February congressional hearings that Target has seen no appreciable fraud in the debit and credit cards the company issues.

Ellen Richey, Visa’s chief risk officer, said her company, one of the country’s biggest credit card issuers, has not seen the expected levels of fraud from the breach. Richey credited that to Target’s public notification of the cyberattack in December.

Richey also took the opportunity to promote more secure card technology that uses a computer chip embedded in cards to protect information.

The Senate committee report is based largely on media stories and reports on the breach from various IT security vendors, and does not reveal new details about how the attack was carried out. It does, however, clearly pinpoint at least eight steps Target could have taken to thwart the attack, such as requiring two-factor authentication for all of its contractors when they log in to Target’s system.

Another protective step would have been strong firewalls between the retailer’s internal systems and the outside Internet, it said.

Missed warnings from “anti-intrusion software” on Nov. 30 and Dec. 2 allowed hackers to continue an attack that began Nov. 12, the report said.

The Senate report also raises questions about the alleged sophistication of the hackers. Target has claimed from the time it made the data breach public that it was victimized by a highly sophisticated network of cyberthieves.

But subsequent analysis by Brian Krebs, the tech blogger who broke the story of the breach, characterized the malware used in the attack as easily available on the black market for $1,800 to $2,300. Bloomberg Businessweek cited an independent cybersecurity expert who called the attack “absolutely unsophisticated and uninteresting,” the Senate report pointed out.

Meanwhile, “Target’s FireEye software reportedly did detect the data exfiltration malware and decoded the destination of servers on which data for millions of stolen credit cards were stored for days at a time,” the report said. “Acting on this information could have stopped the exfiltration, not only at this last stage, but especially during the ‘delivery’ step on the kill chain.”