Detection software’s alerts about malware didn’t result in immediate action.
Brian Beeksma pushes a cart of goods as employees work on preparing the new Target store in Guelph, Ontario. Target announced that it is opening three pilot stores in Guelph, Fergus and Milton, Ontario March 5, 2013, the first of 124 Target stores to open in Canada, Media were given a preview tour, Monday, March 4, 2013. (AP Photo/The Canadian Press, Dave Chidley) ORG XMIT: CPOTK
Target Corp. missed crucial internal warnings in late November about the malware lurking on its computer network, alerts that sounded just as cyberthieves began extracting credit and debit card information from the retailer, according to a report Thursday.
Quoting mostly unnamed sources, Bloomberg Businessweek said Target’s IT security teams in Bangalore, India, and in its Security Operations Center in Minneapolis were alerted to the malware and to the addresses of servers where the thieves planned to ship the stolen data. Despite the warnings, no action was taken, according to the report.
The warning could have been a critical opportunity to derail the theft of personal or payment information for as many as 110 million Target shoppers, one of the country’s largest consumer data breaches. The cyberattack, which occurred from Nov. 27 through Dec. 18, left the nation’s No. 2 discount retailer vulnerable to legal claims of negligence and tarnished its shopper-friendly reputation.
“I just think it’s shocking that it could have been prevented,” Mark Lanterman, chief technology officer at Computer Forensic Services in Minnetonka, told the Star Tribune.
Last year, Target installed a $1.6 million malware detection tool from FireEye Inc., according to Bloomberg. On Nov. 30, the FireEye tool issued alerts about unfamiliar malware in Target’s computer network to the Bangalore team, which in turn notified the retailer’s security team in Minneapolis.
There’s a function in the system to automatically delete the malware it finds, but the security team had turned it off, according to Bloomberg.
Target confirmed Thursday that the company had detected “a small amount of … activity” by the cyberthieves before the full scale of the breach was revealed.
“That activity was evaluated and acted upon,” company spokeswoman Molly Snyder said in a statement. “Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow-up.
“With the benefit of hindsight, we are investigating whether, if different judgments had been made the outcome may have been different,” she said.
Target declined further comment. John Mulligan, the retailer’s chief financial officer, has testified that the company has invested “hundreds of millions of dollars” on a range of technology security. The breach remains under investigation by the U.S. Secret Service and other groups.
A former Target IT employee said he doesn’t think Target had fully integrated FireEye into its daily security protocols at the time of the breach. “It would be another 2 years before Target was good at using it,” the former employee said.
Target’s Security Operations Center, a restricted office on the 6th floor of the City Center building downtown, sees between 10,000 and 50,000 alerts a day, the former employee said. “It’s a tiny office that’s packed with cubicles and desks,” the employee said. “It’s very underwhelming.”
FireEye said it didn’t participate in Bloomberg’s story, but declined to comment further.
Lanterman called FireEye “world class” security software. It was developed with money from the CIA to prevent this type of attack against government agencies, he said.
Target’s information security was “light years ahead of any other retailer,” Lanterman said. If the Bloomberg story is accurate, it’s “a human failure,” he said. “It sounds as though the human failure occurred here in Minnesota.”
Some data security specialists said it’s not uncommon for security specialists to disable something like an automatic delete function because they like to be “hands on” and examine threats.
Lanterman noted that he e-mailed Target’s information security team in December, shortly after the breach became public, when he noticed what he called a serious security flaw on Target.com. The flaw enables a hacker to prevent the encryption of a customer’s information when they log in, and steal user names and passwords.
“Any 17-year-old can do it,” he said of the rogue access point. “I think it’s pretty scary.”