By Paul Ziobro
Target Corp. is re-examining why its data-security team missed
signs that hackers were inside its system and has plugged some
critical security gaps that helped enable one of the largest
credit-card thefts in corporate history.
In an update ahead of a congressional hearing, Target said the
hackers appeared to have first entered its system on Nov. 12, 2013,
more than a month before the discount retail chain's investigators
concluded that a breach had occurred. The company's security system
had logged suspicious activity in the interim, but the company
decided not to follow up after it was evaluated by its security
team.
"With the benefit of hindsight and new information, we are now
asking hard questions regarding the judgments that were made at
that time and assessing whether different judgments may have led to
different outcomes, " according to prepared remarks Target Chief
Financial Officer John Mulligan plans to deliver Wednesday
afternoon to the Senate Commerce Committee.
Mr. Mulligan is set to make his third appearance in the last two
months on Capitol Hill, where legislators are holding hearings
about the events that led to the data breach. Lawmakers also are
considering legislation to regulate how quickly consumers are
notified that their data were compromised and whether an entity
such as the Federal Trade Commission should set security standards
for retailers.
Target said it since has taken steps to beef up its data
security, such as building tougher walls between parts of its
network and adding more "two-factor" authentication protocols so
that hackers can't just log in using a stolen password. Those two
lapses were criticized by data-security professionals as basic
safeguards that companies should take to keep their networks
secure.
Target's data breach, in which 40 million credit- and debit-card
numbers were stolen in the weeks before the year-end holidays, is
one of several retailer data thefts that have come to light in
recent months.
Target in January said the hackers stole such personal
information as addresses and telephone numbers of up to 70 million
customers. Target said it now has found that at least 12 million
shoppers had both their credit-card and some personal information
stolen and the overlap is likely greater.
Write to Paul Ziobro at paul.ziobro@wsj.com
Subscribe to WSJ: http://online.wsj.com?mod=djnwires