WASHINGTON (Reuters) — Target Corp
missed multiple opportunities to thwart the hackers responsible for
the unprecedented holiday shopping season data breach, U.S. Senate
staffers charged in a committee report released on Tuesday.
There was no indication the No. 3 U.S. retailer responded to
warnings that malware was being installed on Target's system. Other
automated warnings the company ignored revealed how the attackers
would carry data out of Target's network, according to the report.
"This analysis suggests that Target missed a number of opportunities
along the kill chain to stop the attackers and prevent the massive
data breach," according to the Commerce, Science and Transportation
Committee report.
The staff report, "A 'Kill Chain' Analysis of the 2013 Target Data
Breach," looked at previously reported information and used an
analytical tool called an "intrusion kill chain" framework used
widely by information security field.
It was released on the eve of a committee hearing on how to protect
personal consumer information from cyber attack. Witnesses will
include John Mulligan, Target's executive vice president and chief
financial officer, and Edith Ramirez, chairwoman of the Federal
Trade Commission.
Target spokeswoman Molly Snyder declined committee on the staff
report, saying the company did not want to discuss the breach before
Wednesday's testimony by Mulligan.
The staff report said Target "failed to respond to multiple
automated warnings from the company's anti-intrusion software" that
1) the attackers were installing malicious software and 2) they were
planning escape routes for the information they planned to steal
from the retailer's network.
It also said Target gave access to its network to a third-party
vendor that did not follow accepted information security practices.
Target also did not isolate its most sensitive network assets,
enabling the attackers to move from less sensitive areas to the
places where Target stored consumer information.
The Pennsylvania-based company admitted this month that security
software detected potentially malicious activity during last year's
massive data breach, but its staff decided not to take immediate
action.
It also said that last year's massive security breach could have
been more extensive than reported so far, leading to further losses
at the company.
The company has said so far that some 40 million payment card
records were stolen along with 70 million other customer records
during a cyber attack over the holiday shopping season.
Congress is investigating the breach along with lapses at other
retailers, and credit card companies are pushing for better
security.
Target also faces dozens of potential class-action lawsuits and
action from banks that could seek reimbursement for millions of
dollars in losses due to fraud and the cost of card replacements.
(Reporting by Doina Chiacu; additional reporting by Mark Hosenball
in Washington and Jim Finkle in Boston; editing by Peter Cooney)
