Will Target Face FTC Probe?

Retailers security practices remain under scrutiny as regulators ponder FTC investigation. Meanwhile, Sony options rights to Hollywood cyber-thriller based on breach story.

9 Notorious Hackers Of 2013 (Click image for larger view and for slideshow.)
Will Target face an official investigation by the Federal Trade Commission (FTC) into its privacy and information security policies, procedures, and practices after its December data breach?
To date, its not clear if the FTC has launched a formal investigation into the breach, and the agency has so far declined to comment on any such probe.
Target, for its part, has confirmed that its been in contact with the agency. But its otherwise declined to comment about any subpoenas or other formal requests for information it might have received. As we have been since December, we continue to be in communications with the FTC but dont have any additional details to share at this time, Target spokeswoman Molly Snyder said Thursday via email.
Former FTC officials, however, have said it would be unusual for the agency to not be keeping a close eye on the results of the Justice Departments ongoing digital forensic investigation into the attack against the retailer. When you see a data breach of this size with clear harm to consumers, its clearly something that the FTC would be interested in looking at, Jon Leibowitz, a former FTC chairman whos now a partner at Davis Polk and Wardwell,
told National Journal
.
[When it comes to security, sometimes technology is the easy part. Read
Targets Weak Points, Examined
.]
In the days following the breach, furthermore, Sen. Richard Blumenthal (D-CT)
called on the FTC to launch an investigation
under the auspices of the FTC Act, which somewhat empowers the agency to investigate businesses privacy and information security practices. The fact that the intrusion lasted for more than two weeks indicates that Targets procedures for detecting and shutting down an effort to steal customer data does not live up to a reasonable standard, he wrote in a letter to the FTC.
Subsequently, Blumenthal
called on the FTC
to confirm if it was -- or wasnt -- investigating Target. I think they need to publicly confirm that there is an investigation, because consumers have been left in the dark and the cold when it comes to protection against identity theft and fraud from this massive disclosure, he told The Hill.
But when it comes to assessing breaches, what counts as the reasonable standard mentioned by the senator? Furthermore, even if Target fell short of that standard, under the power bestowed on the agency by Congress theres little that the FTC could do, except negotiate a settlement in which the business agreed to submit to third-party security audits for a fixed period of time, which Target was already doing to comply with Payment Card Industry (PCI) regulations. Only if Target then violated its FTC settlement would the agency have the power to issue a fine.
Beyond a potential federal investigation, Target also faces a probe by states attorneys general. In January, New York State Attorney General Eric T. Schneiderman announced that his office was part of a
national investigation into the breach
.
Those probes aside, Target has vigorously defended its information security posture. Despite the fact that we invested hundreds of millions of dollars in data security, had a robust system in place, and had recently been certified as PCI-compliant, the unfortunate reality is that we experienced a data breach, spokeswoman Snyder emailed last week.
In the wake of the breach,
Target CIO Beth Jacob resigned
, and CEO Gregg Steinhafel issued a statement saying that Target would make a number of technology, information security, and compliance changes, including hiring its first-ever CISO.
Commenting on the Target breach, multiple information security experts have said that even if Target had the best security defenses in the world, attackers may still have broken through. Still, as more details about the Target breach have come to light, theres evidence that security personnel overlooked signs of the unfolding attack.
Target said last week that its FireEye security software had generated related alerts about the
BlackPOS malware used by the attackers
. But after Targets security team reviewed the alerts, based on their interpretation and evaluation of that activity, the team determined that it
did not warrant immediate follow up
, Snyder said last week. With the benefit of hindsight, we are investigating whether, if different judgments had been made, the outcome may have been different.
While the end of the Target data breach story has yet to be reached, that hasnt stopped Hollywood from prepping a related movie.
Sony has optioned the rights
to a New York Times story about security journalist Brian Krebs, who broke the story of the Target breach. The Times story details the risks Krebs has taken during the course of his reporting, as well as his habit of working with a 12-gauge shotgun by his desk.
The deal was first reported by Hollywood Reporter, which said the studio envisions the movie being a cyber-thriller... set in the high-stakes international criminal world of cybercrime. According to Mashable, the
scriptwriter will be Richard Wenk
, who wrote the screenplay for
The Expendables 2
, as well as the big-screen version of 80s private-detective television show
The Equalizer
, which has been rebooted with Denzel Washington and is due out in September.
Via Twitter, Krebs said that news of the
Sony deal caught him by surprise
. I got an email asking about life rights but I didnt realize it was going forward, he said. Theres no word yet on potential casting.
Pen testing helps companies become more secure by finding and analyzing their insecurities, but pen test services can be fraught with their own kind of risk. In this Dark Reading report, we recommend what to look for in a provider and its wares, how to get what you pay for, and how to ensure that pen testing itself doesnt open the company or its employees up to new risk. Read our
Choosing, Managing And Evaluating A Penetration Testing Service
report today. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps