Target CFO Grilled in Senate Hearing

Young Male Government Employee Uses Laptop Computer in System Control Monitoring Center. In the Background His Coworkers at Their Workspaces with Many Displays Showing Technical Data.

Do you think the team at Target had knowledge of their exposure and were ultimately responsible for their data breach?

Does Trustwave share in the responsibility for the breach?

Senator John Rockefeller attempts to get to the bottom of things yesterday.

Following the release of a new Senate report that analyzed how Target Corp. possibly missed several opportunities to prevent a massive data breach last year, Sen. John Rockefeller, D-W.Va., grilled the company’s CFO at a March 26 hearing about the retailer’s actions.

During the Senate Commerce, Science and Transportation Committee hearing, Rockefeller questioned Target’s John Mulligan about the steps the company could have taken to prevent the breach that compromised 40 million credit and debit card details and personal information about 70 million customers.

“The report walked through many steps attackers had to go through in order to hack your company,” Rockefeller said during the hearing. “Then it explains how Target could have prevented the breach if you had stopped attackers from completing even just one of the steps [in the report].”

For example, the report prepared for the committee notes that Target gave network access to a third-party vendor, which did not appear to follow broadly accepted information security practices. The vendor’s weak security apparently allowed the attackers to gain a foothold in Target’s network, the report notes (see: Target Vendor Acknowledges Breach).

When asked if Target could have prevented the breach if that vendor – Fazio Mechanical Services – had better security practices, Mulligan responded, “Yes.”

Rockefeller also pressed Mulligan for an explanation of how hackers were able to gain access to the company’s most sensitive data. The report notes the attackers who infiltrated Target’s network with a vendor’s credentials appear to have successfully moved from less sensitive areas of Target’s network to areas storing consumer data, suggesting that the retailer failed to properly isolate its most sensitive network assets.

“We did have proper [network] segmentation in place, as recent as two months prior to the attack,” Mulligan said. “Your question is an excellent one – how they migrated from the outermost layer to the innermost [of the company’s systems]. I don’t have the answer to that.”

Rockefeller also asked the Target CFO how the retailer measured the level of security at its third-party vendors. Mulligan said the company has processes in place to assess the risks of those vendors. “We have standards and we have an audit process to ensure vendors are meeting them,” Mulligan said.

Rockefeller questioned further, “Who at Target was ultimately responsible for company security?” Mulligan replied: “We have multiple teams who work in data security. Several executives were reported to [about the breach].”

The company recently announced plans to hire a chief information security officer.

Read the full story on

Previous ArticleSocial engineering attacks: Is security focused on the wrong problem? Next ArticleHow to Defend Against Identity Theft This Tax Season