Target Faces Senate Committee And Another Lawsuit
Target’s name seemed apt as a Senate committee took aim at the retail giant Wednesday, calling out a number of mistakes the Minneapolis-based company made in dealing with its recent and massive data breach.
While Target is scrambling to fix the problems caused by the breach, the Senate Committee on Commerce, Science, and Transportation released a report, based on media reports and expert analyses, which detailed missteps the company took in preventing the breach in the first place.
According to the report, key points at which Target failed to detect and stop the attack include the following:
•â Target gave network access to a third-party vendor, a small Pennsylvania heating, ventilation and air conditioning company, that did not appear to follow broadly accepted information security practices. The vendor’s weak security allowed the attackers to gain a foothold in Target’s network.
• â Target appears to have failed to respond to multiple automated warnings from the company’s anti-intrusion software that the attackers were installing malware on Target’s system.
• â Attackers who infiltrated Target’s network with a vendor credential appear to have successfully moved from less sensitive areas of Target’s network to areas storing consumer data, suggesting that Target failed to properly isolate its most sensitive network assets.
Target Chief Financial Officer John Mulligan appeared before the committee Wednesday and assured them that the company is taking steps to beef up its data security following the hack.
Mulligan detailed plans to increase the segmentation and separation of key portions of its network to limit unauthorized traffic, strengthen its anti-virus tools, and accelerate the company’s $100 million investment in the adoption of chip-enabled payment device technology that’s been proven to drastically reduce counterfeiting. The company will also continue to reissue new Target credit cards and offer free credit monitoring and identity theft protection.
Mulligan also laid out the timeline for the breach in his testimony and admitted that on November 12, “Some intruder activity was detected by our computer security systems, logged and surfaced to the [Security Operations Center], and evaluated by our security professionals. With the benefit of hindsight and new information, we are now asking hard questions regarding the judgments that were made at that time and assessing whether different judgments may have led to different outcomes.”
Separately, Mulligan offered some relatively good news. According to Bloomberg, Mulligan said the amount of fraud from the stolen credit cards has been minimal and less than expected thus far. Target can detect fraud on its own credit cards—which reportedly account for 15 percent of the stolen cards—and Mulligan said the Target brand cards have seen just a 0.1 percent increase in fraud since the breach.
Visa’s Chief Risk Officer Ellen Richey also testified in front of the committee, reportedly stating that major breaches such as Target’s tend to result in fraud on 2 percent to 5 percent of the stolen cards, but that the percentage seen from the Target breach is much lower than that.
Target first publicly confirmed the data breach on December 19, when it announced that 40 million customers had their names and credit or debit card information stolen. On January 10, the company said that 70 million customers’ mailing addresses, phone numbers, or email addresses were also uncovered.
In Mulligan’s recent testimony, he said Target’s analysis now indicates that there is an overlap of at least 12 million customers in the two groups, which means the number of total customers affected could be around 98 million.
The Target breach has resulted in a number of lawsuits and investigations. Most recently, in a lawsuit filed Monday, Trustmark National Bank and Green Bank NA accused Target and Trustwave Holdings, Inc.—which provides payment card security services—of failing to keep customer information safe and causing massive losses for their card issuers.
The complaint seeks a trial by jury and unspecified damages of at least $5 million, citing a report that suggests payment card issuers could sustain upwards of $1 billion of damages as a result of the breach.
The lawsuit claims that Target knew that its point of sale systems were vulnerable in 2007 but didn’t make improvements because it was too expensive, eventually contracting Trustwave for the data security—which the lawsuit claims also failed to bring the company’s systems up to industry standards.