Target Corp. missed crucial internal warnings in late November about the malware lurking on its computer network, alerts that sounded just as cyberthieves began extracting credit and debit card information from the retailer, according to a report Thursday.
Quoting mostly unnamed sources, Bloomberg Businessweek said Target’s IT security teams in Bangalore, India, and in its Security Operations Center in Minneapolis were alerted to the malware and to the addresses of servers where the thieves planned to ship the stolen data. Despite the warnings, no action was taken, according to the report.
The warning could have been a critical opportunity to derail the theft of personal or payment information for as many as 110 million Target shoppers, one of the country’s largest consumer data breaches. The cyberattack, which occurred from Nov. 27 through Dec. 18, left the nation’s No. 2 discount retailer vulnerable to legal claims of negligence and tarnished its shopper-friendly reputation.
“I just think it’s shocking that it could have been prevented,” Mark Lanterman, chief technology officer at Computer Forensic Services in Minnetonka, told the Star Tribune.
Last year, Target installed a $1.6 million malware detection tool from FireEye Inc., according to Bloomberg. On Nov. 30, the FireEye tool issued alerts about unfamiliar malware in Target’s computer network to the Bangalore team, which in turn notified the retailer’s security team in Minneapolis.
There’s a function in the system to automatically delete the malware it finds, but the security team had turned it off, according to Bloomberg.
Target confirmed Thursday that the company had detected “a small amount of … activity” by the cyberthieves before the full scale of the breach was revealed.
“That activity was evaluated and acted upon,” company spokeswoman Molly Snyder said in a statement. “Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow-up.
“With the benefit of hindsight, we are investigating whether, if different judgments had been made the outcome may have been different,” she said.
Target declined further comment. John Mulligan, the retailer’s chief financial officer, has testified that the company has invested “hundreds of millions of dollars” on a range of technology security. The breach remains under investigation by the U.S. Secret Service and other groups.
A former Target IT employee said he doesn’t think Target had fully integrated FireEye into its daily security protocols at the time of the breach. “It would be another 2 years before Target was good at using it,” the former employee said.
Target’s Security Operations Center, a restricted office on the 6th floor of the City Center building downtown, sees between 10,000 and 50,000 alerts a day, the former employee said. “It’s a tiny office that’s packed with cubicles and desks,” the employee said. “It’s very underwhelming.”
FireEye said it didn’t participate in Bloomberg’s story, but declined to comment further.
Lanterman called FireEye “world class” security software. It was developed with money from the CIA to prevent this type of attack against government agencies, he said.
Target’s information security was “light years ahead of any other retailer,” Lanterman said. If the Bloomberg story is accurate, it’s “a human failure,” he said. “It sounds as though the human failure occurred here in Minnesota.”
Some data security specialists said it’s not uncommon for security specialists to disable something like an automatic delete function because they like to be “hands on” and examine threats.
Lanterman noted that he e-mailed Target’s information security team in December, shortly after the breach became public, when he noticed what he called a serious security flaw on Target.com. The flaw enables a hacker to prevent the encryption of a customer’s information when they log in, and steal user names and passwords.
“Any 17-year-old can do it,” he said of the rogue access point. “I think it’s pretty scary.”
He never heard back from anyone. “No one bothered to call and say ‘Tell me more about this,’ ” he said.
Lanterman said he noticed a similar issue on MNsure’s health insurance website, and agency officials fixed it in January. “We’ve worked with a number of banks that had the same flaw,” Lanterman said.
Target’s security team probably didn’t trust the FireEye malware detection tool yet because it was still being fine-tuned, said Jeff Hall, a senior security consultant in the Twin Cities for Overland Park, Kan.-based FishNet Security. “It’s like any security product: You just don’t plug it in, and you’re good to go,” Hall said.
Nonetheless, Hall said he couldn’t understand the process breakdown. “Why didn’t somebody bring it up?”
A security architect from Milestone Systems Inc. in Minnetonka said it “paints a very scathing picture of Target.” However, many Fortune 100 companies are struggling with handling such alerts.
“You have this complex security and monitoring infrastructure. How to you get information and findings out of that infrastructure or actionable intelligence to decisionmakers?” he said. “This is not isolated to Target.”