Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Will Target Face FTC Probe?

Retailer's security practices remain under scrutiny as regulators ponder FTC investigation. Meanwhile, Sony options rights to Hollywood cyber-thriller based on breach story.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)

Will Target face an official investigation by the Federal Trade Commission (FTC) into its privacy and information security policies, procedures, and practices after its December data breach?

To date, it's not clear if the FTC has launched a formal investigation into the breach, and the agency has so far declined to comment on any such probe.

Target, for its part, has confirmed that it's been in contact with the agency. But it's otherwise declined to comment about any subpoenas or other formal requests for information it might have received. "As we have been since December, we continue to be in communications with the FTC but don't have any additional details to share at this time," Target spokeswoman Molly Snyder said Thursday via email.

Former FTC officials, however, have said it would be unusual for the agency to not be keeping a close eye on the results of the Justice Department's ongoing digital forensic investigation into the attack against the retailer. "When you see a data breach of this size with clear harm to consumers, it's clearly something that the FTC would be interested in looking at," Jon Leibowitz, a former FTC chairman who's now a partner at Davis Polk and Wardwell, told National Journal.

[When it comes to security, sometimes technology is the easy part. Read Target's Weak Points, Examined.]

In the days following the breach, furthermore, Sen. Richard Blumenthal (D-CT) called on the FTC to launch an investigation under the auspices of the FTC Act, which somewhat empowers the agency to investigate businesses' privacy and information security practices. "The fact that the intrusion lasted for more than two weeks indicates that Target's procedures for detecting and shutting down an effort to steal customer data does not live up to a reasonable standard," he wrote in a letter to the FTC.

Subsequently, Blumenthal called on the FTC to confirm if it was -- or wasn't -- investigating Target. "I think they need to publicly confirm that there is an investigation, because consumers have been left in the dark and the cold when it comes to protection against identity theft and fraud from this massive disclosure," he told The Hill.

But when it comes to assessing breaches, what counts as the reasonable standard mentioned by the senator? Furthermore, even if Target fell short of that standard, under the power bestowed on the agency by Congress there's little that the FTC could do, except negotiate a settlement in which the business agreed to submit to third-party security audits for a fixed period of time, which Target was already doing to comply with Payment Card Industry (PCI) regulations. Only if Target then violated its FTC settlement would the agency have the power to issue a fine.

Beyond a potential federal investigation, Target also faces a probe by states' attorneys general. In January, New York State Attorney General Eric T. Schneiderman announced that his office was part of a national investigation into the breach.

Those probes aside, Target has vigorously defended its information security posture. "Despite the fact that we invested hundreds of millions of dollars in data security, had a robust system in place, and had recently been certified as PCI-compliant, the unfortunate reality is that we experienced a data breach," spokeswoman Snyder emailed last week.

In the wake of the breach, Target CIO Beth Jacob resigned, and CEO Gregg Steinhafel issued a statement saying that Target would make a number of technology, information security, and compliance changes, including hiring its first-ever CISO.

Commenting on the Target breach, multiple information security experts have said that even if Target had the best security defenses in the world, attackers may still have broken through. Still, as more details about the Target breach have come to light, there's evidence that security personnel overlooked signs of the unfolding attack.

Target said last week that its FireEye security software had generated related alerts about the BlackPOS malware used by the attackers. But after Target's security team reviewed the alerts, "based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up," Snyder said last week. "With the benefit of hindsight, we are investigating whether, if different judgments had been made, the outcome may have been different."

While the end of the Target data breach story has yet to be reached, that hasn't stopped Hollywood from prepping a related movie. Sony has optioned the rights to a New York Times story about security journalist Brian Krebs, who broke the story of the Target breach. The Times story details the risks Krebs has taken during the course of his reporting, as well as his habit of working with a 12-gauge shotgun by his desk.

The deal was first reported by Hollywood Reporter, which said the studio envisions the movie being "a cyber-thriller... set in the high-stakes international criminal world of cybercrime." According to Mashable, the scriptwriter will be Richard Wenk, who wrote the screenplay for The Expendables 2, as well as the big-screen version of '80s private-detective television show The Equalizer, which has been "rebooted" with Denzel Washington and is due out in September.

Via Twitter, Krebs said that news of the Sony deal caught him by surprise. "I got an email asking about 'life rights' but I didn't realize it was going forward," he said. There's no word yet on potential casting.

Pen testing helps companies become more secure by finding and analyzing their insecurities, but pen test services can be fraught with their own kind of risk. In this Dark Reading report, we recommend what to look for in a provider and its wares, how to get what you pay for, and how to ensure that pen testing itself doesn't open the company or its employees up to new risk. Read our Choosing, Managing And Evaluating A Penetration Testing Service report today. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
asksqn
50%
50%
asksqn,
User Rank: Ninja
3/27/2014 | 3:47:14 PM
Reform Not Likely
Since the FTCs fact pattern has been to function as little more than industry lapdog, I'm going to opine that the likelihood of any kind of probe will depend on how vociferous the little people clamor for, and, even then, any sanctions handed down thereafter will be strictly slaps on the wrist.
Madhava verma dantuluri
50%
50%
Madhava verma dantuluri,
User Rank: Apprentice
3/24/2014 | 12:59:08 AM
Is it
This cant be true. Hope all should go fine.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Moderator
3/21/2014 | 4:13:08 PM
Re: Targets unscrupulous data collection practices
Based on your experience, I wonder how Target handles online game orders? 
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
3/21/2014 | 4:01:39 PM
Re: Targets unscrupulous data collection practices
Scan and save my license to buy cold medicine or a game? No thank you. I would think the last thing Target would want to have to guard right now would be a repository of license data.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
3/21/2014 | 3:29:23 PM
Re: Target's unscrupulous data collection
That's a fascinating story about Target checkout scanning MyThought's driver's license on a flimsy pretext. after they've experienced a massive loss of personal data. Target is showing an unremitting knack for driving away customers.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Moderator
3/20/2014 | 4:00:48 PM
Re: Targets unscrupulous data collection practices
No doubt it's the last game you buy from Target. I know the company uses any legal loopholes to swipe licenses: Florida was not one of the first to make you show ID to buy cold medicine, but Target required a driver's license (and swipe) before it became state law. I figured it was so they had one national standard, not putting it together with data collection all those years ago. I haven't shopped there since the breach and subsequent scam calls to both my phone numbers, but if I do return i won't buy anything that requires ID, legally or per store policy.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
3/20/2014 | 3:46:57 PM
Re: Targets unscrupulous data collection practices
MyThoughts: A company can't lose what it doesn't collect, eh?
MyThoughts
100%
0%
MyThoughts,
User Rank: Apprentice
3/20/2014 | 3:02:51 PM
Targets unscrupulous data collection practices
On a side note regarding Targets data collecting practices, when I recently purchased a video game from a local Target store, the cashier asked to see my driver's license.  Without giving away my age, I am undeniably a picture of someone "way" past legal drinking age, let alone the age of seventeen by which the "M" rating on the video game box suggests as the appropriate age to play the game.

I asked the cashier why I needed to do so.  The cashier said that it was company policy to request age verification for video games with an "M" rating.  I didn't stifle my laugh, as neither did another customer besides me, at the absurdity of it all.  If I was still in my twenties, I could understand the effort by the cashier to remove a reasonable doubt.

At the time, I just shook my head and offered up my drivers license so that I could get on my way... but then, I got really pissed!!  The cashier proceeded to scan my license in to the register.  I asked what did he just do!  He said that he was just following company policy.  Well, I was so mad that I asked for a manager.  One was not readily near and so I just spoke my mind to the poor cashier.

I'm usually a mild mannered person but with the security issues that Target is dealing with, and the fact that I would call this an unscrupulous way to secure more data from its customers in already proven flawed system, I vowed to myself that I would from now on make a concerted effort to not support this chain.

I will be curious to see if the FTC's probe to study Targets privacy and information security policies, procedures, and practices will indeed occur.  I truly hope so as I would think that at the very least, it would get Target to be more aggressive over the "Protection" of data rather than the "Gathering" of it.

 
Shane M. O'Neill
100%
0%
Shane M. O'Neill,
User Rank: Apprentice
3/20/2014 | 2:39:21 PM
Asleep at the wheel
This debacle warrants an FTC investigation, even if it will just end in more security audits and fines for Target. The company ignored or grossly underestimated repeated alerts about the ongoing hacks from its security vendor, FireEye, and let enough time go by that hackers could move the stolen credit card data to Russian servers. This took the hackers a week or more to do, while Target security teams were basically twiddling their thumbs. If Target had responded to FireEye's warnings around Dec. 1 the whole thing could have been prevented.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...