Will Target face an official investigation by the Federal Trade Commission (FTC) into its privacy and information security policies, procedures, and practices after its December data breach?
To date, it's not clear if the FTC has launched a formal investigation into the breach, and the agency has so far declined to comment on any such probe.
Target, for its part, has confirmed that it's been in contact with the agency. But it's otherwise declined to comment about any subpoenas or other formal requests for information it might have received. "As we have been since December, we continue to be in communications with the FTC but don't have any additional details to share at this time," Target spokeswoman Molly Snyder said Thursday via email.
Former FTC officials, however, have said it would be unusual for the agency to not be keeping a close eye on the results of the Justice Department's ongoing digital forensic investigation into the attack against the retailer. "When you see a data breach of this size with clear harm to consumers, it's clearly something that the FTC would be interested in looking at," Jon Leibowitz, a former FTC chairman who's now a partner at Davis Polk and Wardwell, told National Journal.
[When it comes to security, sometimes technology is the easy part. Read Target's Weak Points, Examined.]
In the days following the breach, furthermore, Sen. Richard Blumenthal (D-CT) called on the FTC to launch an investigation under the auspices of the FTC Act, which somewhat empowers the agency to investigate businesses' privacy and information security practices. "The fact that the intrusion lasted for more than two weeks indicates that Target's procedures for detecting and shutting down an effort to steal customer data does not live up to a reasonable standard," he wrote in a letter to the FTC.
Subsequently, Blumenthal called on the FTC to confirm if it was -- or wasn't -- investigating Target. "I think they need to publicly confirm that there is an investigation, because consumers have been left in the dark and the cold when it comes to protection against identity theft and fraud from this massive disclosure," he told The Hill.
But when it comes to assessing breaches, what counts as the reasonable standard mentioned by the senator? Furthermore, even if Target fell short of that standard, under the power bestowed on the agency by Congress there's little that the FTC could do, except negotiate a settlement in which the business agreed to submit to third-party security audits for a fixed period of time, which Target was already doing to comply with Payment Card Industry (PCI) regulations. Only if Target then violated its FTC settlement would the agency have the power to issue a fine.
Beyond a potential federal investigation, Target also faces a probe by states' attorneys general. In January, New York State Attorney General Eric T. Schneiderman announced that his office was part of a national investigation into the breach.
Those probes aside, Target has vigorously defended its information security posture. "Despite the fact that we invested hundreds of millions of dollars in data security, had a robust system in place, and had recently been certified as PCI-compliant, the unfortunate reality is that we experienced a data breach," spokeswoman Snyder emailed last week.
In the wake of the breach, Target CIO Beth Jacob resigned, and CEO Gregg Steinhafel issued a statement saying that Target would make a number of technology, information security, and compliance changes, including hiring its first-ever CISO.
Commenting on the Target breach, multiple information security experts have said that even if Target had the best security defenses in the world, attackers may still have broken through. Still, as more details about the Target breach have come to light, there's evidence that security personnel overlooked signs of the unfolding attack.
Target said last week that its FireEye security software had generated related alerts about the BlackPOS malware used by the attackers. But after Target's security team reviewed the alerts, "based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up," Snyder said last week. "With the benefit of hindsight, we are investigating whether, if different judgments had been made, the outcome may have been different."
While the end of the Target data breach story has yet to be reached, that hasn't stopped Hollywood from prepping a related movie. Sony has optioned the rights to a New York Times story about security journalist Brian Krebs, who broke the story of the Target breach. The Times story details the risks Krebs has taken during the course of his reporting, as well as his habit of working with a 12-gauge shotgun by his desk.
The deal was first reported by Hollywood Reporter, which said the studio envisions the movie being "a cyber-thriller... set in the high-stakes international criminal world of cybercrime." According to Mashable, the scriptwriter will be Richard Wenk, who wrote the screenplay for The Expendables 2, as well as the big-screen version of '80s private-detective television show The Equalizer, which has been "rebooted" with Denzel Washington and is due out in September.
Via Twitter, Krebs said that news of the Sony deal caught him by surprise. "I got an email asking about 'life rights' but I didn't realize it was going forward," he said. There's no word yet on potential casting.
Pen testing helps companies become more secure by finding and analyzing their insecurities, but pen test services can be fraught with their own kind of risk. In this Dark Reading report, we recommend what to look for in a provider and its wares, how to get what you pay for, and how to ensure that pen testing itself doesn't open the company or its employees up to new risk. Read our Choosing, Managing And Evaluating A Penetration Testing Service report today. (Free registration required.)