Target Corp. missed crucial internal warnings in late November about the malware lurking on its computer network, alerts that sounded just as cyberthieves began extracting credit and debit card information from the retailer, according to a report Thursday.
Quoting mostly unnamed sources, Bloomberg Businessweek said Target's IT security teams in Bangalore, India, and in its Security Operations Center in Minneapolis were alerted to the malware and to the addresses of servers where the thieves planned to ship the stolen data. Despite the warnings, no action was taken, according to the report.
The warning could have been a critical opportunity to derail the theft of personal or payment information for as many as 110 million Target shoppers, one of the country's largest consumer data breaches. The cyberattack, which occurred from Nov. 27 through Dec. 18, left the nation's No. 2 discount retailer vulnerable to legal claims of negligence and tarnished its shopper-friendly reputation.
"I just think it's shocking that it could have been prevented," Mark Lanterman, chief technology officer at Computer Forensic Services in Minnetonka, told the Star Tribune.
Last year, Target installed a $1.6 million malware detection tool from FireEye Inc., according to Bloomberg. On Nov. 30, the FireEye tool issued alerts about unfamiliar malware in Target's computer network to the Bangalore team, which in turn notified the retailer's security team in Minneapolis.
There's a function in the system to automatically delete the malware it finds, but the security team had turned it off, according to Bloomberg.
Target confirmed Thursday that the company had detected "a small amount of … activity" by the cyberthieves before the full scale of the breach was revealed.
"That activity was evaluated and acted upon," company spokeswoman Molly Snyder said in a statement. "Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow-up.