Target missed crucial internal warnings about lurking malware

Target Corp. missed crucial internal warnings in late November about the malware lurking on its computer network, alerts that sounded just as cyberthieves began extracting credit and debit card information from the retailer, according to a report Thursday.

Quoting mostly unnamed sources, Bloomberg Businessweek said Target's IT security teams in Bangalore, India, and in its Security Operations Center in Minneapolis were alerted to the malware and to the addresses of servers where the thieves planned to ship the stolen data. Despite the warnings, no action was taken, according to the report.

The warning could have been a critical opportunity to derail the theft of personal or payment information for as many as 110 million Target shoppers, one of the country's largest consumer data breaches. The cyberattack, which occurred from Nov. 27 through Dec. 18, left the nation's No. 2 discount retailer vulnerable to legal claims of negligence and tarnished its shopper-friendly reputation.

"I just think it's shocking that it could have been prevented," Mark Lanterman, chief technology officer at Computer Forensic Services in Minnetonka, told the Star Tribune.

Last year, Target installed a $1.6 million malware detection tool from FireEye Inc., according to Bloomberg. On Nov. 30, the FireEye tool issued alerts about unfamiliar malware in Target's computer network to the Bangalore team, which in turn notified the retailer's security team in Minneapolis.

There's a function in the system to automatically delete the malware it finds, but the security team had turned it off, according to Bloomberg.

Target confirmed Thursday that the company had detected "a small amount of … activity" by the cyberthieves before the full scale of the breach was revealed.

"With the benefit of hindsight, we are investigating whether, if different judgments had been made the outcome may have been different," she said.

Target declined further comment. John Mulligan, the retailer's chief financial officer, has testified that the company has invested "hundreds of millions of dollars" on a range of technology security. The breach remains under investigation by the U.S. Secret Service and other groups.

A former Target IT employee said he doesn't think Target had fully integrated FireEye into its daily security protocols at the time of the breach. "It would be another 2 years before Target was good at using it," the former employee said.

Target's Security Operations Center, a restricted office on the 6th floor of the City Center building downtown, sees between 10,000 and 50,000 alerts a day, the former employee said. "It's a tiny office that's packed with ­cubicles and desks," the employee said. "It's very underwhelming."

FireEye said it didn't partici­pate in Bloomberg's story, but declined to comment further.

Target's information security was "light years ahead of any other retailer," Lanterman said. If the Bloomberg story is accurate, it's "a human failure," he said. "It sounds as though the human failure occurred here in Minnesota."

Some data security specialists said it's not uncommon for security specialists to disable something like an automatic delete function because they like to be "hands on" and examine threats.

Lanterman noted that he e-mailed Target's information security team in December, shortly after the breach became public, when he noticed what he called a serious security flaw on Target.com. The flaw enables a hacker to prevent the encryption of a customer's information when they log in, and steal user names and passwords.

"Any 17-year-old can do it," he said of the rogue access point. "I think it's pretty scary."

He never heard back from anyone. "No one bothered to call and say 'Tell me more about this,' " he said.

Target's security team probably didn't trust the FireEye malware detection tool yet because it was still being fine-tuned, said Jeff Hall, a senior security consultant in the Twin Cities for Overland Park, Kan.-based FishNet Security. "It's like any security product: You just don't plug it in, and you're good to go," Hall said.

Nonetheless, Hall said he couldn't understand the process breakdown. "Why didn't somebody bring it up?"

A security architect from Milestone Systems Inc. in Minnetonka said it "paints a very scathing picture of Target." However, many Fortune 100 companies are struggling with handling such alerts.

"You have this complex security and monitoring infrastructure. How to you get information and findings out of that infrastructure or actionable intelligence to decisionmakers?" he said. "This is not isolated to Target."