Target missed many warning signs leading to breach - U.S. Senate report

WASHINGTON Wed Mar 26, 2014 9:34pm IST

Related Topics

Stocks

   

WASHINGTON (Reuters) - Target Corp (TGT.N) missed multiple opportunities to thwart the hackers responsible for the unprecedented holiday shopping season data breach, U.S. Senate staffers charged in a committee report released on Tuesday.

There was no indication the No. 3 U.S. retailer responded to warnings that malware was being installed on Target's system. Other automated warnings the company ignored revealed how the attackers would carry data out of Target's network, according to the report.

"This analysis suggests that Target missed a number of opportunities along the kill chain to stop the attackers and prevent the massive data breach," according to the Commerce, Science and Transportation Committee report.

The staff report, "A 'Kill Chain' Analysis of the 2013 Target Data Breach," looked at previously reported information and used an analytical tool called an "intrusion kill chain" framework used widely by information security field.

It was released on the eve of a committee hearing on how to protect personal consumer information from cyber attack. Witnesses will include John Mulligan, Target's executive vice president and chief financial officer, and Edith Ramirez, chairwoman of the Federal Trade Commission.

Target spokeswoman Molly Snyder declined committee on the staff report, saying the company did not want to discuss the breach before Wednesday's testimony by Mulligan.

The staff report said Target "failed to respond to multiple automated warnings from the company's anti-intrusion software" that 1) the attackers were installing malicious software and 2) they were planning escape routes for the information they planned to steal from the retailer's network.

It also said Target gave access to its network to a third-party vendor that did not follow accepted information security practices.

Target also did not isolate its most sensitive network assets, enabling the attackers to move from less sensitive areas to the places where Target stored consumer information.

The Minneapolis-based company admitted this month that security software detected potentially malicious activity during last year's massive data breach, but its staff decided not to take immediate action.

It also said that last year's massive security breach could have been more extensive than reported so far, leading to further losses at the company.

The company has said so far that some 40 million payment card records were stolen along with 70 million other customer records during a cyber attack over the holiday shopping season.

Congress is investigating the breach along with lapses at other retailers, and credit card companies are pushing for better security.

Target also faces dozens of potential class-action lawsuits and action from banks that could seek reimbursement for millions of dollars in losses due to fraud and the cost of card replacements.

(Reporting by Doina Chiacu; Additional reporting by Mark Hosenball in Washington and Jim Finkle in Boston; Editing by Peter Cooney)

FILED UNDER:

Hack Attack

REUTERS SHOWCASE

Nifty Above 8,600

Nifty Above 8,600

Nifty hits record high above 8,600; state-run lenders gain  Full Article 

Indian in Iraq

Indian in Iraq

India says no contact with 39 men held by Islamic State in Iraq.  Full Article 

Sahara Issue

Sahara Issue

Sahara looks to raise $650 million loan to fund bail.  Full Article 

Bhopal Tragedy

Bhopal Tragedy

Bhopal's toxic legacy lives on, 30 years after industrial disaster.  Full Article 

Essar Group

Essar Group

Exclusive - Essar's planned oil-for-steel deal tests Iran sanctions  Full Article 

Islamic Fund

Islamic Fund

India gets new Islamic equity fund but debt market still off-limits  Full Article 

Fiscal Deficit

Fiscal Deficit

April-October fiscal deficit nears 90 pct of full-year target  Full Article 

Oil Prices

Oil Prices

Oil hits new four-year low post OPEC as glut looms  Full Article 

Gold Imports

Gold Imports

India eases gold import rule in surprise move.  Full Article 

Reuters India Mobile

Reuters India Mobile

Get the latest news on the go. Visit Reuters India on your mobile device  Full Coverage