Target is quickly becoming the poster child for Washington policymakers anxious to find a solution to curb the growing number of data breaches that steal and compromise the personal information of millions of consumers.
In advance of the Senate Commerce Committee's hearing on cyber attacks and data breaches, the committee released a staff report today analyzing the Target breach and how the retailer missed several opportunities to stop it.
Using a Lockheed Martin approach called a "kill chain" analysis, the report pinpoints exactly where Target went wrong from the moment attackers took advantage of weak security at a Target vendor that provided the hackers with a foothold into Target's inner network. From there, things went downhill fast, the staff report concluded.
The report is expected to be the focal point of tomorrow's hearing where, once again, a Target executive will testify—this time, CFO John Mulligan. Also scheduled to speak is Federal Trade Commission chairwoman Edith Ramirez, who is seeking more agency authority from Congress to enforce data security at companies.
"[The Target data breach] is an unusual incident because of the size of data lost, but it's an all-too common occurrence in the private sector," said a committee staffer. "[Companies] seem to not be developing resources to protect the data," the staffer added.
According to the report's timeline of the breach, Target missed warnings as far back as November from its anti-intrusion software that attackers were installing malware on its network, allowing them to maneuver into the network's most sensitive areas.
Sen. Jay Rockefeller (D-W.Va.), chairman of the committee, is likely to push the data security bill that he introduced in January. The Data Security and Breach Notification Act would grant FTC the authority to set data security standards and protocols that companies must adopt; establish strong breach notification requirements; and give the FTC and state attorney generals enforcement authority to seek civil penalties. Rockefeller's bill is one of more than half a dozen floating around Congress.
"We learned this week that federal agents notified more than 3,000 companies last year that their computer systems had been hacked. The hard fact is there are so many more breaches we never hear about. It’s increasingly frustrating to me that organizations are resisting the need to invest in their security systems. Target’s compromise of the personal data of millions of their customers should be a clarion call to businesses, both large and small, that it’s time to invest in some changes," Rockefeller said in a statement.
Target's chief information officer resigned earlier this month amid the company's announcement it would restructure its tech backbone and tighten security.