WASHINGTON - A Target Corp. executive told a U.S. Senate committee Wednesday that the retailer had clues about a data breach that affected millions of customers weeks before responding and is now investigating why the company took so long to react.
Sometime after intruders entered Target’s systems on Nov. 12, their activities were detected and evaluated by security professionals, according to remarks Chief Financial Officer John Mulligan submitted to the panel. The company was later alerted to suspicious activity by the U.S. Justice Department, leading to an internal investigation that confirmed a breach on Dec. 15.
“We are asking hard questions about whether we could have taken different actions before the breach was discovered that would’ve resulted in different outcomes,” Mulligan told members of the Senate Commerce, Science and Transportation Committee on Wednesday.
“In particular, we are focused on what information we had that could have alerted us to the breach earlier; whether we had the right personnel in the right positions; and ensuring that decisions related to operational and security matters were sound,” he said.
Mulligan also said that the retailer has made it harder for hackers to break into its computer system, saying there are now more separations between key portions of the company’s computer network. The Minneapolis-based company has also increased investment in computer software that blocks malicious software from running on its point-of-sale computer terminals, Mulligan said, and has added a second layer of authentication for those who want to access its computers.
The moves are aimed at shortcomings exposed in the theft of financial and personal data from up to 110 million customers in one of the nation’s worst consumer data breaches.
After the attack became public in December, during the height of the Christmas shopping season, it harmed Target’s reputation and fourth-quarter sales. The company’s U.S. comparable-store sales decreased 2.5 percent in the period. Target spent $61 million responding to the situation last quarter, including costs to investigate the breach and offer identity-theft services to customers. Insurance covered $44 million of the tab, leaving the company with an expense of $17 million in the period.
Late Tuesday, the Senate committee released a report that said Target missed multiple opportunities to stop the consumer data breach.
Target’s missteps, according to the report, included:
“Target gave network access to a third-party vendor, a small Pennsylvania HVAC company, that did not appear to follow broadly accepted information security practices. The vendor’s weak security allowed the attackers to gain a foothold in Target’s network.
“Target appears to have failed to respond to multiple automated warnings from the company’s anti-intrusion software that the attackers were installing malware on Target’s system.
“Attackers who infiltrated Target’s network with a vendor credential appear to have successfully moved from less-sensitive areas of Target’s network to areas storing consumer data, suggesting that Target failed to properly isolate its most sensitive network assets.”
“We now believe that some intruder activity was detected by our computer security systems, logged and surfaced to the [Security Operations Center] and evaluated by our security officials,” Mulligan said. “We are now asking hard questions regarding the judgments that were made at that time.”
The company is studying whether it had “the right personnel in the right positions.”
Commerce Committee Chairman Sen. Jay Rockefeller, D-W.Va., had strong words for Target in an opening statement, saying the company “fell far short” of adequately protecting customers’ private information. Target’s contention that it met industry data security standards “wasn’t enough,” Rockefeller added.
The Senate report used what’s called a “kill chain”model to assess when and how Target could have thwarted the cyber attack that took place during the 2013 Christmas shopping season and hurt the company’s sales, public image and share price.
Target’s chief information-technology officer, Beth Jacob, resigned earlier this month after the data breach was revealed.
The amount of fraud that resulted from the data theft remains unclear. Mulligan repeated his testimony from two February congressional hearings that Target has seen no appreciable fraud in the debit and credit cards the company issues.
Ellen Richey, Visa’s chief risk officer, said her company, one of the country’s biggest credit-card issuers, has not seen anticipated levels of fraud from the breach. Richey credited that to Target’s public notification of being hit with a cyber attack in December.
Richey also took the opportunity to promote more secure card technology that uses a computer chip embedded in cards to protect information.
The Senate committee report is based largely on media stories and reports on the breach from various information-technology security vendors and does not reveal new details about how the attack was carried out. It does, however, clearly pinpoint at least eight steps Target could have taken to thwart the attack, such as requiring two-factor authentication for all of its contractors when they log in to Target’s system.
Another protective step would have been stronger firewalls between the retailer’s internal systems and the outside Internet, it said.
Missed warnings from “anti-intrusion software” on Nov. 30 and Dec. 2 allowed hackers to continue an attack that began Nov. 12, the report said.
The Senate report also raises questions about the purported sophistication of the hackers. Target has claimed from the time it made the data breach public that it was victimized by a highly sophisticated network of cyber thieves.
But subsequent analysis by Brian Krebs, the tech blogger who broke the story of the breach, characterized the malware used in the attack as easily available on the black market for $1,800 to $2,300. Bloomberg Businessweek cited an independent cyber security expert who called the attack “absolutely unsophisticated and uninteresting,” the Senate report pointed out.
Meanwhile, “Target’s Fire-Eye software reportedly did detect the data exfiltration malware and decoded the destination of servers on which data for millions of stolen credit cards were stored for days at a time,” the report said. “Acting on this information could have stopped the exfiltration, not only at this last stage, but especially during the ‘delivery’ step on the kill chain.”
The Target breach remains the subject of multiple investigations and dozens of lawsuits. Information for this article was contributed by Jim Spencer and Jennifer Bjorhus of the (Minneapolis) Star Tribune and by Renee Dudley and Michael Riley of Bloomberg News.
Front Section, Pages 1 on 03/27/2014