Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Will Target Face FTC Probe?

Retailer's security practices remain under scrutiny as regulators ponder FTC investigation. Meanwhile, Sony options rights to Hollywood cyber-thriller based on breach story.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)

Will Target face an official investigation by the Federal Trade Commission (FTC) into its privacy and information security policies, procedures, and practices after its December data breach?

To date, it's not clear if the FTC has launched a formal investigation into the breach, and the agency has so far declined to comment on any such probe.

Target, for its part, has confirmed that it's been in contact with the agency. But it's otherwise declined to comment about any subpoenas or other formal requests for information it might have received. "As we have been since December, we continue to be in communications with the FTC but don't have any additional details to share at this time," Target spokeswoman Molly Snyder said Thursday via email.

Former FTC officials, however, have said it would be unusual for the agency to not be keeping a close eye on the results of the Justice Department's ongoing digital forensic investigation into the attack against the retailer. "When you see a data breach of this size with clear harm to consumers, it's clearly something that the FTC would be interested in looking at," Jon Leibowitz, a former FTC chairman who's now a partner at Davis Polk and Wardwell, told National Journal.

[When it comes to security, sometimes technology is the easy part. Read Target's Weak Points, Examined.]

In the days following the breach, furthermore, Sen. Richard Blumenthal (D-CT) called on the FTC to launch an investigation under the auspices of the FTC Act, which somewhat empowers the agency to investigate businesses' privacy and information security practices. "The fact that the intrusion lasted for more than two weeks indicates that Target's procedures for detecting and shutting down an effort to steal customer data does not live up to a reasonable standard," he wrote in a letter to the FTC.

Subsequently, Blumenthal called on the FTC to confirm if it was -- or wasn't -- investigating Target. "I think they need to publicly confirm that there is an investigation, because consumers have been left in the dark and the cold when it comes to protection against identity theft and fraud from this massive disclosure," he told The Hill.

But when it comes to assessing breaches, what counts as the reasonable standard mentioned by the senator? Furthermore, even if Target fell short of that standard, under the power bestowed on the agency by Congress there's little that the FTC could do, except negotiate a settlement in which the business agreed to submit to third-party security audits for a fixed period of time, which Target was already doing to comply with Payment Card Industry (PCI) regulations. Only if Target then violated its FTC settlement would the agency have the power to issue a fine.

Beyond a potential federal investigation, Target also faces a probe by states' attorneys general. In January, New York State Attorney General Eric T. Schneiderman announced that his office was part of a national investigation into the breach.

Those probes aside, Target has vigorously defended its information security posture. "Despite the fact that we invested hundreds of millions of dollars in data security, had a robust system in place, and had recently been certified as PCI-compliant, the unfortunate reality is that we experienced a data breach," spokeswoman Snyder emailed last week.

In the wake of the breach, Target CIO Beth Jacob resigned, and CEO Gregg Steinhafel issued a statement saying that Target would make a number of technology, information security, and compliance changes, including hiring its first-ever CISO.

Commenting on the Target breach, multiple information security experts have said that even if Target had the best security defenses in the world, attackers may still have broken through. Still, as more details about the Target breach have come to light, there's evidence that security personnel overlooked signs of the unfolding attack.

Target said last week that its FireEye security software had generated related alerts about the BlackPOS malware used by the attackers. But after Target's security team reviewed the alerts, "based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up," Snyder said last week. "With the benefit of hindsight, we are investigating whether, if different judgments had been made, the outcome may have been different."

While the end of the Target data breach story has yet to be reached, that hasn't stopped Hollywood from prepping a related movie. Sony has optioned the rights to a New York Times story about security journalist Brian Krebs, who broke the story of the Target breach. The Times story details the risks Krebs has taken during the course of his reporting, as well as his habit of working with a 12-gauge shotgun by his desk.

The deal was first reported by Hollywood Reporter, which said the studio envisions the movie being "a cyber-thriller... set in the high-stakes international criminal world of cybercrime." According to Mashable, the scriptwriter will be Richard Wenk, who wrote the screenplay for The Expendables 2, as well as the big-screen version of '80s private-detective television show The Equalizer, which has been "rebooted" with Denzel Washington and is due out in September.

Via Twitter, Krebs said that news of the Sony deal caught him by surprise. "I got an email asking about 'life rights' but I didn't realize it was going forward," he said. There's no word yet on potential casting.

Pen testing helps companies become more secure by finding and analyzing their insecurities, but pen test services can be fraught with their own kind of risk. In this Dark Reading report, we recommend what to look for in a provider and its wares, how to get what you pay for, and how to ensure that pen testing itself doesn't open the company or its employees up to new risk. Read our Choosing, Managing And Evaluating A Penetration Testing Service report today. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
3/27/2014 | 3:47:14 PM
Reform Not Likely
Since the FTCs fact pattern has been to function as little more than industry lapdog, I'm going to opine that the likelihood of any kind of probe will depend on how vociferous the little people clamor for, and, even then, any sanctions handed down thereafter will be strictly slaps on the wrist.
Madhava verma dantuluri
Madhava verma dantuluri,
User Rank: Apprentice
3/24/2014 | 12:59:08 AM
Is it
This cant be true. Hope all should go fine.
User Rank: Moderator
3/21/2014 | 4:13:08 PM
Re: Targets unscrupulous data collection practices
Based on your experience, I wonder how Target handles online game orders? 
User Rank: Apprentice
3/21/2014 | 4:01:39 PM
Re: Targets unscrupulous data collection practices
Scan and save my license to buy cold medicine or a game? No thank you. I would think the last thing Target would want to have to guard right now would be a repository of license data.
Charlie Babcock
Charlie Babcock,
User Rank: Ninja
3/21/2014 | 3:29:23 PM
Re: Target's unscrupulous data collection
That's a fascinating story about Target checkout scanning MyThought's driver's license on a flimsy pretext. after they've experienced a massive loss of personal data. Target is showing an unremitting knack for driving away customers.
User Rank: Moderator
3/20/2014 | 4:00:48 PM
Re: Targets unscrupulous data collection practices
No doubt it's the last game you buy from Target. I know the company uses any legal loopholes to swipe licenses: Florida was not one of the first to make you show ID to buy cold medicine, but Target required a driver's license (and swipe) before it became state law. I figured it was so they had one national standard, not putting it together with data collection all those years ago. I haven't shopped there since the breach and subsequent scam calls to both my phone numbers, but if I do return i won't buy anything that requires ID, legally or per store policy.
User Rank: Apprentice
3/20/2014 | 3:46:57 PM
Re: Targets unscrupulous data collection practices
MyThoughts: A company can't lose what it doesn't collect, eh?
User Rank: Apprentice
3/20/2014 | 3:02:51 PM
Targets unscrupulous data collection practices
On a side note regarding Targets data collecting practices, when I recently purchased a video game from a local Target store, the cashier asked to see my driver's license.  Without giving away my age, I am undeniably a picture of someone "way" past legal drinking age, let alone the age of seventeen by which the "M" rating on the video game box suggests as the appropriate age to play the game.

I asked the cashier why I needed to do so.  The cashier said that it was company policy to request age verification for video games with an "M" rating.  I didn't stifle my laugh, as neither did another customer besides me, at the absurdity of it all.  If I was still in my twenties, I could understand the effort by the cashier to remove a reasonable doubt.

At the time, I just shook my head and offered up my drivers license so that I could get on my way... but then, I got really pissed!!  The cashier proceeded to scan my license in to the register.  I asked what did he just do!  He said that he was just following company policy.  Well, I was so mad that I asked for a manager.  One was not readily near and so I just spoke my mind to the poor cashier.

I'm usually a mild mannered person but with the security issues that Target is dealing with, and the fact that I would call this an unscrupulous way to secure more data from its customers in already proven flawed system, I vowed to myself that I would from now on make a concerted effort to not support this chain.

I will be curious to see if the FTC's probe to study Targets privacy and information security policies, procedures, and practices will indeed occur.  I truly hope so as I would think that at the very least, it would get Target to be more aggressive over the "Protection" of data rather than the "Gathering" of it.

Shane M. O'Neill
Shane M. O'Neill,
User Rank: Apprentice
3/20/2014 | 2:39:21 PM
Asleep at the wheel
This debacle warrants an FTC investigation, even if it will just end in more security audits and fines for Target. The company ignored or grossly underestimated repeated alerts about the ongoing hacks from its security vendor, FireEye, and let enough time go by that hackers could move the stolen credit card data to Russian servers. This took the hackers a week or more to do, while Target security teams were basically twiddling their thumbs. If Target had responded to FireEye's warnings around Dec. 1 the whole thing could have been prevented.
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-27
blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data.
PUBLISHED: 2020-11-27
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sani...
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
PUBLISHED: 2020-11-27
Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system.