(Corrects headquarters to Minneapolis in paragraph 10)
By Doina Chiacu
WASHINGTON, March 25 Target Corp missed
multiple opportunities to thwart the hackers responsible for the
unprecedented holiday shopping season data breach, U.S. Senate
staffers charged in a committee report released on Tuesday.
There was no indication the No. 3 U.S. retailer responded to
warnings that malware was being installed on Target's system.
Other automated warnings the company ignored revealed how the
attackers would carry data out of Target's network, according to
"This analysis suggests that Target missed a number of
opportunities along the kill chain to stop the attackers and
prevent the massive data breach," according to the Commerce,
Science and Transportation Committee report.
The staff report, "A 'Kill Chain' Analysis of the 2013
Target Data Breach," looked at previously reported information
and used an analytical tool called an "intrusion kill chain"
framework used widely by information security field.
It was released on the eve of a committee hearing on how to
protect personal consumer information from cyber attack.
Witnesses will include John Mulligan, Target's executive vice
president and chief financial officer, and Edith Ramirez,
chairwoman of the Federal Trade Commission.
Target spokeswoman Molly Snyder declined committee on the
staff report, saying the company did not want to discuss the
breach before Wednesday's testimony by Mulligan.
The staff report said Target "failed to respond to multiple
automated warnings from the company's anti-intrusion software"
that 1) the attackers were installing malicious software and 2)
they were planning escape routes for the information they
planned to steal from the retailer's network.
It also said Target gave access to its network to a
third-party vendor that did not follow accepted information
Target also did not isolate its most sensitive network
assets, enabling the attackers to move from less sensitive areas
to the places where Target stored consumer information.
The Minneapolis-based company admitted this month that
security software detected potentially malicious activity during
last year's massive data breach, but its staff decided not to
take immediate action.
It also said that last year's massive security breach could
have been more extensive than reported so far, leading to
further losses at the company.
The company has said so far that some 40 million payment
card records were stolen along with 70 million other customer
records during a cyber attack over the holiday shopping season.
Congress is investigating the breach along with lapses at
other retailers, and credit card companies are pushing for
Target also faces dozens of potential class-action lawsuits
and action from banks that could seek reimbursement for millions
of dollars in losses due to fraud and the cost of card
(Reporting by Doina Chiacu; Additional reporting by Mark
Hosenball in Washington and Jim Finkle in Boston; Editing by