Target missed several opportunities to stop the hackers responsible for the unparalleled 2013 holiday shopping-season data theft, US Senate staffers have alleged in a committee report.
There was no indication that America's second-largest discount retailer responded to warnings that malware was being installed on its system. Other automated warnings the company ignored, showed how the attackers would carry data out of Target's network, according to the report.
The staff report, "A 'Kill Chain' Analysis of the 2013 Target Data Breach," looked at previously reported information and used an analytical tool called an "intrusion kill chain" framework widely known in the information security field.
The Commerce, Science and Transportation Committee report said Target, "failed to respond to multiple automated warnings from the company's anti-intrusion software". Firstly, that attackers were installing malicious software, and second, that they were planning escape routes for the information they proposed to steal from the retailer's network.
It also said Target gave access to its network to a third-party vendor that did not follow accepted information security practices.
Target failed to keep apart its most sensitive network assets, enabling the attackers to move from less sensitive areas to the places where Target stored customer information, said the report.
The report was released on 25 March, on the eve of a committee hearing on how to protect personal consumer information from cyber attacks. Witnesses included John Mulligan, Target's executive vice president and chief financial officer, and Edith Ramirez, chairwoman of the Federal Trade Commission.
Pursued by Reuters, Target spokeswoman Molly Snyder refused to comment on the staff report, saying the company did not want to discuss the breach before Mulligan's 26 March testimony.
Target Data Breach
Target discovered a major security breach in December 2013. Payment data from about 40 million credit and debit cards were stolen from Christmas shoppers at its stores over 19 days between 27 November and 15 December.
It has since been revealed that a further 70 million customer records with sensitive information such as names, telephone numbers and email addresses were also stolen.
Target has confirmed that cybercriminals used malware installed on Target's point-of-sale (PoS) cash register systems to siphon off the data.
Retailer Neiman Marcus has also disclosed that it suffered a similar cyber attack, but did not reveal the number of customers affected.
Both companies have said federal authorities are investigating the data breach.
Following the attack, Target said it was spending millions of dollars on cybersecurity, including the upgrading of its payment card network to the more secure "chip and PIN" standard by early 2015.