Attacks/Breaches
3/20/2014
01:00 PM
Connect Directly
RSS
E-Mail
50%
50%

Will Target Face FTC Probe?

Retailer's security practices remain under scrutiny as regulators ponder FTC investigation. Meanwhile, Sony options rights to Hollywood cyber-thriller based on breach story.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)

Will Target face an official investigation by the Federal Trade Commission (FTC) into its privacy and information security policies, procedures, and practices after its December data breach?

To date, it's not clear if the FTC has launched a formal investigation into the breach, and the agency has so far declined to comment on any such probe.

Target, for its part, has confirmed that it's been in contact with the agency. But it's otherwise declined to comment about any subpoenas or other formal requests for information it might have received. "As we have been since December, we continue to be in communications with the FTC but don't have any additional details to share at this time," Target spokeswoman Molly Snyder said Thursday via email.

Former FTC officials, however, have said it would be unusual for the agency to not be keeping a close eye on the results of the Justice Department's ongoing digital forensic investigation into the attack against the retailer. "When you see a data breach of this size with clear harm to consumers, it's clearly something that the FTC would be interested in looking at," Jon Leibowitz, a former FTC chairman who's now a partner at Davis Polk and Wardwell, told National Journal.

[When it comes to security, sometimes technology is the easy part. Read Target's Weak Points, Examined.]

In the days following the breach, furthermore, Sen. Richard Blumenthal (D-CT) called on the FTC to launch an investigation under the auspices of the FTC Act, which somewhat empowers the agency to investigate businesses' privacy and information security practices. "The fact that the intrusion lasted for more than two weeks indicates that Target's procedures for detecting and shutting down an effort to steal customer data does not live up to a reasonable standard," he wrote in a letter to the FTC.

Subsequently, Blumenthal called on the FTC to confirm if it was -- or wasn't -- investigating Target. "I think they need to publicly confirm that there is an investigation, because consumers have been left in the dark and the cold when it comes to protection against identity theft and fraud from this massive disclosure," he told The Hill.

But when it comes to assessing breaches, what counts as the reasonable standard mentioned by the senator? Furthermore, even if Target fell short of that standard, under the power bestowed on the agency by Congress there's little that the FTC could do, except negotiate a settlement in which the business agreed to submit to third-party security audits for a fixed period of time, which Target was already doing to comply with Payment Card Industry (PCI) regulations. Only if Target then violated its FTC settlement would the agency have the power to issue a fine.

Beyond a potential federal investigation, Target also faces a probe by states' attorneys general. In January, New York State Attorney General Eric T. Schneiderman announced that his office was part of a national investigation into the breach.

Those probes aside, Target has vigorously defended its information security posture. "Despite the fact that we invested hundreds of millions of dollars in data security, had a robust system in place, and had recently been certified as PCI-compliant, the unfortunate reality is that we experienced a data breach," spokeswoman Snyder emailed last week.

In the wake of the breach, Target CIO Beth Jacob resigned, and CEO Gregg Steinhafel issued a statement saying that Target would make a number of technology, information security, and compliance changes, including hiring its first-ever CISO.

Commenting on the Target breach, multiple information security experts have said that even if Target had the best security defenses in the world, attackers may still have broken through. Still, as more details about the Target breach have come to light, there's evidence that security personnel overlooked signs of the unfolding attack.

Target said last week that its FireEye security software had generated related alerts about the BlackPOS malware used by the attackers. But after Target's security team reviewed the alerts, "based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up," Snyder said last week. "With the benefit of hindsight, we are investigating whether, if different judgments had been made, the outcome may have been different."

While the end of the Target data breach story has yet to be reached, that hasn't stopped Hollywood from prepping a related movie. Sony has optioned the rights to a New York Times story about security journalist Brian Krebs, who broke the story of the Target breach. The Times story details the risks Krebs has taken during the course of his reporting, as well as his habit of working with a 12-gauge shotgun by his desk.

The deal was first reported by Hollywood Reporter, which said the studio envisions the movie being "a cyber-thriller... set in the high-stakes international criminal world of cybercrime." According to Mashable, the scriptwriter will be Richard Wenk, who wrote the screenplay for The Expendables 2, as well as the big-screen version of '80s private-detective television show The Equalizer, which has been "rebooted" with Denzel Washington and is due out in September.

Via Twitter, Krebs said that news of the Sony deal caught him by surprise. "I got an email asking about 'life rights' but I didn't realize it was going forward," he said. There's no word yet on potential casting.

Pen testing helps companies become more secure by finding and analyzing their insecurities, but pen test services can be fraught with their own kind of risk. In this Dark Reading report, we recommend what to look for in a provider and its wares, how to get what you pay for, and how to ensure that pen testing itself doesn't open the company or its employees up to new risk. Read our Choosing, Managing And Evaluating A Penetration Testing Service report today. (Free registration required.)

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
asksqn
50%
50%
asksqn,
User Rank: Apprentice
3/27/2014 | 3:47:14 PM
Reform Not Likely
Since the FTCs fact pattern has been to function as little more than industry lapdog, I'm going to opine that the likelihood of any kind of probe will depend on how vociferous the little people clamor for, and, even then, any sanctions handed down thereafter will be strictly slaps on the wrist.
Madhava verma dantuluri
50%
50%
Madhava verma dantuluri,
User Rank: Apprentice
3/24/2014 | 12:59:08 AM
Is it
This cant be true. Hope all should go fine.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Apprentice
3/21/2014 | 4:13:08 PM
Re: Targets unscrupulous data collection practices
Based on your experience, I wonder how Target handles online game orders? 
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
3/21/2014 | 4:01:39 PM
Re: Targets unscrupulous data collection practices
Scan and save my license to buy cold medicine or a game? No thank you. I would think the last thing Target would want to have to guard right now would be a repository of license data.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Strategist
3/21/2014 | 3:29:23 PM
Re: Target's unscrupulous data collection
That's a fascinating story about Target checkout scanning MyThought's driver's license on a flimsy pretext. after they've experienced a massive loss of personal data. Target is showing an unremitting knack for driving away customers.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Apprentice
3/20/2014 | 4:00:48 PM
Re: Targets unscrupulous data collection practices
No doubt it's the last game you buy from Target. I know the company uses any legal loopholes to swipe licenses: Florida was not one of the first to make you show ID to buy cold medicine, but Target required a driver's license (and swipe) before it became state law. I figured it was so they had one national standard, not putting it together with data collection all those years ago. I haven't shopped there since the breach and subsequent scam calls to both my phone numbers, but if I do return i won't buy anything that requires ID, legally or per store policy.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
3/20/2014 | 3:46:57 PM
Re: Targets unscrupulous data collection practices
MyThoughts: A company can't lose what it doesn't collect, eh?
MyThoughts
100%
0%
MyThoughts,
User Rank: Apprentice
3/20/2014 | 3:02:51 PM
Targets unscrupulous data collection practices
On a side note regarding Targets data collecting practices, when I recently purchased a video game from a local Target store, the cashier asked to see my driver's license.  Without giving away my age, I am undeniably a picture of someone "way" past legal drinking age, let alone the age of seventeen by which the "M" rating on the video game box suggests as the appropriate age to play the game.

I asked the cashier why I needed to do so.  The cashier said that it was company policy to request age verification for video games with an "M" rating.  I didn't stifle my laugh, as neither did another customer besides me, at the absurdity of it all.  If I was still in my twenties, I could understand the effort by the cashier to remove a reasonable doubt.

At the time, I just shook my head and offered up my drivers license so that I could get on my way... but then, I got really pissed!!  The cashier proceeded to scan my license in to the register.  I asked what did he just do!  He said that he was just following company policy.  Well, I was so mad that I asked for a manager.  One was not readily near and so I just spoke my mind to the poor cashier.

I'm usually a mild mannered person but with the security issues that Target is dealing with, and the fact that I would call this an unscrupulous way to secure more data from its customers in already proven flawed system, I vowed to myself that I would from now on make a concerted effort to not support this chain.

I will be curious to see if the FTC's probe to study Targets privacy and information security policies, procedures, and practices will indeed occur.  I truly hope so as I would think that at the very least, it would get Target to be more aggressive over the "Protection" of data rather than the "Gathering" of it.

 
Shane M. O'Neill
100%
0%
Shane M. O'Neill,
User Rank: Apprentice
3/20/2014 | 2:39:21 PM
Asleep at the wheel
This debacle warrants an FTC investigation, even if it will just end in more security audits and fines for Target. The company ignored or grossly underestimated repeated alerts about the ongoing hacks from its security vendor, FireEye, and let enough time go by that hackers could move the stolen credit card data to Russian servers. This took the hackers a week or more to do, while Target security teams were basically twiddling their thumbs. If Target had responded to FireEye's warnings around Dec. 1 the whole thing could have been prevented.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4734
Published: 2014-07-21
Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter.

CVE-2014-4960
Published: 2014-07-21
Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid parameter to index.php.

CVE-2014-5016
Published: 2014-07-21
Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to appl...

CVE-2014-5017
Published: 2014-07-21
SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter...

CVE-2014-5018
Published: 2014-07-21
Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.