Senate Report Analyzes Target BreachPinpoints Apparent Missed Opportunities to Prevent Incident
A new report prepared for a Senate committee provides an extensive analysis of how retailer Target Corp. possibly missed several opportunities to prevent the massive data breach last year that compromised 40 million credit and debit card details, as well as personal information for 70 million customers.
Senator John Rockefeller, D-W.Va., on March 25 unveiled the report "A 'Kill Chain' Analysis of the 2013 Target Data Breach." It was slated to be discussed at an afternoon hearing on March 26 of the Senate Committee on Commerce, Science and Transportation.
The document offers a step-by-step explanation of how the Target breach occurred, "based on media reports and expert analyses that have been published since Target publicly acknowledged this breach on December 19, 2013." It notes: "Although the complete story of how this breach took place may not be known until Target completes its forensic examination of the breach, facts already available in the public record provide a great deal of useful information about the attackers' methods and Target's defenses."
The analysis prepared for the Senate committee suggests that Target apparently missed a number of opportunities to stop the attackers and prevent the massive data breach. The report notes:
- Target gave network access to a third-party vendor, a small Pennsylvania company, which did not appear to follow broadly accepted information security practices. The vendor's weak security allowed the attackers to gain a foothold in Target's network (see: Target Vendor Acknowledges Breach).
- The retailer appears to have failed to respond to multiple automated warnings from its anti-intrusion software that the attackers were installing malware (see: Did Target Ignore Security Warning?).
- Attackers who infiltrated Target's network with a vendor credential appear to have successfully moved from less sensitive areas of Target's network to areas storing consumer data, suggesting that the retailer failed to properly isolate its most sensitive network assets.
- Target appears to have failed to respond to multiple warnings from the company's anti-intrusion software regarding the escape routes the attackers planned to use to exfiltrate data from the retailer's network.
"For nearly a decade, we've had major data breaches at companies both large and small," Rockefeller says. "Millions of consumers have suffered the consequences. While Congress deserves its share of the blame for inaction, I am increasingly frustrated by industry's disingenuous attempts at negotiations. It's time for industry to work with us on legislation that reinforces the basic protections American consumers have a right to count on."