In the staff report called, “A ‘Kill Chain’ Analysis of the 2013 Target Data Breach,” the committee says Target “failed to respond to multiple automated warnings from the company’s anti-intrusion software” that not only was malware being installed on the company system, but also automated warnings that the hackers were also setting up an virtual escape vehicle, as it were, to carry away the data it was planning to steal.
The report looked at information about the breach that has already been reported and used something called an “intrusion kill chain” framework often used in the information security field to analyze the situation.
“This analysis suggests that Target missed a number of opportunities along the kill chain to stop the attackers and prevent the massive data breach,” the committee’s findings say, according to Reuters.
It also said Target gave access to its network to a third-party vendor (likely a heating and air conditioning company) that didn’t follow accepted information security processes.
It’s not great timing for Target, either, as the company is scheduled to be part of a committee hearing on how to protect personal consumer information from cyber attack today.
Target’s executive vice president and chief financial officer John Mulligan is slated to testify. A spokeswoman declined to comment on the report and told Reuters Target didn’t want to talk about the breach before today’s testimony.