Target CFO Grilled in Senate HearingSen. Rockefeller Questions Company's Efforts to Prevent Breach
Following the release of a new Senate report that analyzed how Target Corp. possibly missed several opportunities to prevent a massive data breach last year, Sen. John Rockefeller, D-W.Va., grilled the company's CFO at a March 26 hearing about the retailer's actions.
See Also: Data Center Security Study - The Results
During the Senate Commerce, Science and Transportation Committee hearing, Rockefeller questioned Target's John Mulligan about the steps the company could have taken to prevent the breach that compromised 40 million credit and debit card details and personal information about 70 million customers.
"The report walked through many steps attackers had to go through in order to hack your company," Rockefeller said during the hearing. "Then it explains how Target could have prevented the breach if you had stopped attackers from completing even just one of the steps [in the report]."
For example, the report prepared for the committee notes that Target gave network access to a third-party vendor, which did not appear to follow broadly accepted information security practices. The vendor's weak security apparently allowed the attackers to gain a foothold in Target's network, the report notes (see: Target Vendor Acknowledges Breach).
When asked if Target could have prevented the breach if that vendor - Fazio Mechanical Services - had better security practices, Mulligan responded, "Yes."
Rockefeller also pressed Mulligan for an explanation of how hackers were able to gain access to the company's most sensitive data. The report notes the attackers who infiltrated Target's network with a vendor's credentials appear to have successfully moved from less sensitive areas of Target's network to areas storing consumer data, suggesting that the retailer failed to properly isolate its most sensitive network assets.
"We did have proper [network] segmentation in place, as recent as two months prior to the attack," Mulligan said. "Your question is an excellent one - how they migrated from the outermost layer to the innermost [of the company's systems]. I don't have the answer to that."
Rockefeller also asked the Target CFO how the retailer measured the level of security at its third-party vendors. Mulligan said the company has processes in place to assess the risks of those vendors. "We have standards and we have an audit process to ensure vendors are meeting them," Mulligan said.
Rockefeller questioned further, "Who at Target was ultimately responsible for company security?" Mulligan replied: "We have multiple teams who work in data security. Several executives were reported to [about the breach]."
The company recently announced plans to hire a chief information security officer.
Rockefeller made reference to the company's former CIO, Beth Jacob, who resigned March 5 (see: Target to Hire New CIO, Revamp Security). "You had a former CIO, Beth Jacob, and I want to make sure she doesn't get run over by a bus in this discussion," Rockefeller said. "What I'm getting at is, at some point, the CEO and board of directors have to accept responsibility. I believe in responsibility. It has to come down to a point, a source point."
Senator Richard Blumenthal, D-Conn., questioned Mulligan as to why Target didn't detect the breach sooner. The report, for example, said the retailer appeared to have failed to respond to multiple automated warnings from its anti-intrusion software that the attackers were installing malware (see: Did Target Ignore Security Warning?).
"We're going back to understand [what happened]," Mulligan said. "Our team assesses hundreds of alerts each day. We identified malware on the morning of Dec. 15 and provided public notice four days later. We were focused on speed and doing so quickly."
During the hearing, Mulligan also offered several updates on Target's breach prevention efforts since last year's incident. For example, he said the company has already installed approximately 10,000 payment devices in Target stores capable of handling more secure chip card transactions. The retailer expects to complete installation of the devices in all its stores by this September, six months ahead of schedule. "We also expect to begin to issue chip-enabled Target REDcards and accept all chip-enabled cards by early 2015," Mulligan said.
Free Credit Monitoring
Also testifying at the March 26 hearing was Wallace Loh, president of the University of Maryland, which recently experienced two data breaches (see: University Breaches: A Continuing Trend). Loh said the university has offered affected individuals five years of credit monitoring services after receiving complaints that one year of protection wasn't enough.
"It's our responsibility to provide the maximum protection possible," Loh said.
Senator Edward Markey, D-Mass., asked Target's Mulligan why the company had only offered affected customers one year of free credit monitoring services. "Our understanding was that one year was appropriate and would provide appropriate coverage," Mulligan replied. "We're not dogmatic about that. We haven't received that feedback; if we did, we'd reconsider that."
Rockefeller said recent high-profile breaches show that it's time to invest in changes. "Many companies have failed to take responsibility for their data security weaknesses," he said. "I'm just as disappointed at Congress. This is my message: It's time to come to the table and be willing to compromise."
Rockefeller, along with Democratic leaders of the Senate Commerce, Science and Transportation Committee, introduced the Data Security and Breach Notification Act of 2014, which would provide a federal standard for companies to safeguard consumers' personal information throughout their systems and to quickly notify consumers if those systems are breached (see: Yet Another Data Breach Bill Introduced).