How Target easily could have kept 40 million credit cards from being stolen
As Target still struggles to restore consumer confidence and profits after last December's massive data breach, a new report asserts the retail giant could have easily prevented the whole fiasco.
According to Bloomberg Businessweek, the technology used to steal some 40 million credit card numbers and other valuable pieces of personal information during the busy holiday shopping season was neither cutting edge nor complicated. In fact, the malware used was so conventional that Target's recently upgraded network security system had no problem catching the incident and sounding multiple alarms–alarms that appear to have fallen on deaf ears.
In discussing the cyber attack with 10 former Target employees familiar with the company's security protocol, Businessweek paints a damning narrative of the events surrounding one of the largest IT security breaches in U.S. history.
Unlike many other retailers, Target has invested heavily in cyber security over during recent years. The company's information security staff has increased tenfold since 2006 to now include 300 employees. The company has also invested in creating a government-style security operations center, or SOC, in a windowless, bunker-like room in its corporate headquarters in Minneapolis.
Its latest security upgrade was the installation of FireEye, an advanced network-security program with a $1.6 million price tag. FireEye's development was funded by the CIA and it's now used by intelligence agencies around the globe.
FireEye depends on a team of security professionals in Bangalore, India, constantly monitoring Target's network traffic for signs of trouble. Potential attacks or glitches are instantly messaged to the SOC in Minneapolis. According to Businessweek, the security system worked perfectly, catching the installation of credit-card stealing malware as early as Nov. 30 of last year. The weak link in the chain was evidently SOC employees who ignored the warnings.
In testimony before Congress, Target has said that it was only after the U.S. Department of Justice notified the retailer about the breach in mid-December that company investigators went back to figure out what happened. What it hasn’t publicly revealed: Poring over computer logs, Target found FireEye’s alerts from Nov. 30 and more from Dec. 2, when hackers installed yet another version of the malware. Not only should those alarms have been impossible to miss, they went off early enough that the hackers hadn’t begun transmitting the stolen card data out of Target’s network. Had the company’s security team responded when it was supposed to, the theft that has since engulfed Target, touched as many as one in three American consumers, and led to an international manhunt for the hackers never would have happened at all.
According to the report, even after the malware was installed, there was still time for Target to squelch the attack before the thieves could have absconded with the information. As the malware collected all credit card numbers swiped at U.S. stores during the first two weeks of December, the information was stored on hijacked servers within Target's network. That means there was time for security officers to stop the attack as the numbers were pooled and before they were moved out of the mainframe. In fact, this could have been done automatically, had Target employees not turned off a feature in FireEye that would have deleted the malware from Target's servers without human intervention. Turning off this feature is not unheard of, but it does put pressure on security teams to respond quickly.
"Typically, as a security team, you want to have that last decision point of 'what do I do,'" said Edward Kiledjian, chief information security officer for Bombardier Aerospace, another company that uses FireEye.
It's not clear why Target didn't respond to the threat with more urgency. What is clear is the devastating fallout Target, its customers, and banks have faced as a result. Not only were 40 million credit and debit cards compromised, 70 million addresses, phone numbers, and other bits of personal information were also lifted from Target's system. CNET reports that banks and credits unions have lost roughly $200 million as a result of the attack. Meanwhile, Target's most recent earnings report shows a 46 percent decline in profits through February, largely attributed to a loss in consumer confidence. And these latest revelations about FireEye warnings being ignored likely won't help the company in court. More than 90 lawsuits have been filed against Target seeking compensatory damages for negligence.