Letter to Target Corporation President Gregg Steinhafel - Provide Documents on Target Data Breach

Letter

Today Energy and Commerce Committee Ranking Member Henry A. Waxman, Oversight and Investigations Subcommittee Ranking Member Diana DeGette, and Commerce, Manufacturing, and Trade Subcommittee Ranking Member Jan Schakowsky sent a letter to Target Chair, President, and CEO Gregg Steinhafel urging him to provide documents related to the causes and impacts of the December data breach affecting Target customers. Target officials are scheduled to testify before the Energy and Commerce Committee on data breaches during the week of February 3, 2014.

The full text of the letter is available below.

January 23, 2014

Mr. Gregg Steinhafel
Chairman, President, and Chief Executive Officer
Target Corporation
1000 Nicollet Mall
Minneapolis, MN 55403

Dear Mr. Steinhafel:

On December 19, 2013, Target announced that credit card and debit card information for approximately 40 million customers had been compromised in a massive cybersecurity breach. According to Target, criminals "forced their way" into network systems, gaining access to sensitive payment card data including card numbers and encrypted pin numbers. On January 10, Target acknowledged that another trove of data -- names, addresses, email addresses, and phone numbers -- affecting as many as 70 million customers had also been compromised.

The Committee will be holding a hearing on this breach and the overall impact of data breaches on consumers during the first week of February. We are writing to seek information needed by the Committee prior to the hearing in order to improve our understanding of the causes and impacts of the December data breach affecting Target consumers.

This breach is particularly significant because of its unprecedented scope and scale. More than one-fifth of Americans may be affected by the Target breach. It has been estimated that the costs to banks and retailers could exceed $18 billion and that "consumers could be liable for more than $4 billion in uncovered losses and other costs." While the immediate concerns relate to securing customer information and preventing fraudulent charges, there are many unanswered questions about this cyberattack and its implications for consumer privacy and data security.

Questions remain about how exactly this attack was carried out, who was responsible, whether it could have been prevented, how Target responded, and how retailers and customers can protect themselves going forward. Reuters has reported that "Visa Inc issued two alerts [in April and August] last year about a surge in cyber attacks on retailers that specifically warned about the threat from memory parsing malware." Despite these warnings, the New York Times reported that the criminals responsible "discovered that Target's systems were astonishingly open -- lacking the virtual walls and motion detectors found in secure networks like many banks'." And security experts have found that the hackers may have been able to break into systems at Target and other stores as a result of weak passwords on point-of-sale systems.

Other reports have also raised questions about the timing and adequacy of disclosure of the breach. Information that Target has provided to the Committee raises additional questions about the timing of the breach and subsequent public disclosure. For example, in a January 17, 2014, briefing with Democratic staff, Target officials informed staff that the company discovered and disabled malware responsible for the breach on December 15, 2013. But the New York Times reported that Target officials were informed of the breach two days earlier, on December 13, 2013.

In order that we may fully understand prior to our Committee hearing how this theft of confidential customer information occurred, we ask that you please provide the following information and documents no later than January 31, 2014:

1. All written policies or guidelines relating to threat monitoring, network security, or point-of-sale system protection, including any strategies to protect against threats posed by memory-parsing malware, from January 1, 2012, to the present.

2. All documentation, pertaining to fiscal year 2013 and dated prior to November 27, 2013, detailing the funds spent and persons employed on the network security of systems serving Target stores. Please indicate whether or not additional funds were spent or additional network security personnel hired to protect the integrity of systems serving Target stores during the holiday season. Please provide comparable documentation for individual fiscal year data for fiscal years 2007-2012.

3. All email correspondence, analyses, reports, or any other communications relating to the Kaptoxa malware, or to point-of-sale system security or any other information security systems implicated in this breach for Target officials from January 1, 2012, to the present. Please detail whether Target was previously aware of any potential vulnerabilities to its point-of-sale systems or any other systems implicated in this breach. Please include all documents, including email correspondence for Target officials from January 1, 2013, to the present, relating to Visa's April and August 2013 alerts regarding memory-parsing malware.

4. All documents relating to Target's response and public notification activities relating to the breach. Please provide a detailed written timeline of when Target was notified of the attacks and of Target's response and public notification activities from December 1, 2013, to the present. Please detail when, how, and by whom Target was first made aware of a potential security breach.

We understand that much of this information is sensitive in nature, and that Target and law enforcement officials are conducting ongoing investigations of the breach. The Committee has a long history of working with confidential and classified material in a sensitive manner, and we are happy to work with you and your staff to ensure that this is the case in this investigation.

Sincerely,

Henry A. Waxman
Ranking Member

Diana DeGette
Ranking Member
Subcommittee on Oversight and Investigations

Jan Schakowsky
Ranking Member
Subcommittee on Commerce, Manufacturing, and Trade

Source