- Texas police officer fatally shoots Black woman in her own home 6 Years Ago
- Milo Yiannopoulos’ website dangerous.com was sold Today 1:42 PM
- First YouTube comment to hit 1 million likes is on Billie Eilish’s ‘bad guy’ music video Today 12:36 PM
- Girl says she was fired over exposing how Panera makes its mac and cheese on TikTok Today 11:34 AM
- David Harbour teased fans about Hopper’s ‘Stranger Things’ fate on ‘SNL’ Today 10:24 AM
- Kacey Musgraves accused of cultural appropriation–and botching it Today 9:19 AM
- Rihanna defends Vogue writer who received backlash for ‘winging’ interview Today 8:36 AM
- Here are the best PC games to add to your list Today 8:20 AM
- How to stream ‘Power’ season 6, episode 8 Today 6:00 AM
- How to stream Steelers vs. Chargers on Sunday Night Football Saturday 7:20 PM
- Popular TikTok teens accused of pretending to be gay for clout Saturday 6:38 PM
- Scott Walker’s ‘$26 haircut’ dig at Alexandria Ocasio-Cortez backfires Saturday 4:46 PM
- Halle synagogue shooter allegedly posted manifesto on anime message board Saturday 4:06 PM
- How to stream Cowboys vs. Jets in NFL Week 6 Saturday 3:25 PM
- How to stream Rams vs. 49ers in NFL Week 6 action Saturday 3:05 PM
How Target easily could have kept 40 million credit cards from being stolen
Investigation finds Target security program worked liked a charm, but alarms were ignored.
As Target still struggles to restore consumer confidence and profits after last December’s massive data breach, a new report asserts the retail giant could have easily prevented the whole fiasco.
According to Bloomberg Businessweek, the technology used to steal some 40 million credit card numbers and other valuable pieces of personal information during the busy holiday shopping season was neither cutting edge nor complicated. In fact, the malware used was so conventional that Target’s recently upgraded network security system had no problem catching the incident and sounding multiple alarms–alarms that appear to have fallen on deaf ears.
In discussing the cyber attack with 10 former Target employees familiar with the company’s security protocol, Businessweek paints a damning narrative of the events surrounding one of the largest IT security breaches in U.S. history.
Unlike many other retailers, Target has invested heavily in cyber security over during recent years. The company’s information security staff has increased tenfold since 2006 to now include 300 employees. The company has also invested in creating a government-style security operations center, or SOC, in a windowless, bunker-like room in its corporate headquarters in Minneapolis.
Its latest security upgrade was the installation of FireEye, an advanced network-security program with a $1.6 million price tag. FireEye’s development was funded by the CIA and it’s now used by intelligence agencies around the globe.
FireEye depends on a team of security professionals in Bangalore, India, constantly monitoring Target’s network traffic for signs of trouble. Potential attacks or glitches are instantly messaged to the SOC in Minneapolis. According to Businessweek, the security system worked perfectly, catching the installation of credit-card stealing malware as early as Nov. 30 of last year. The weak link in the chain was evidently SOC employees who ignored the warnings.
In testimony before Congress, Target has said that it was only after the U.S. Department of Justice notified the retailer about the breach in mid-December that company investigators went back to figure out what happened. What it hasn’t publicly revealed: Poring over computer logs, Target found FireEye’s alerts from Nov. 30 and more from Dec. 2, when hackers installed yet another version of the malware. Not only should those alarms have been impossible to miss, they went off early enough that the hackers hadn’t begun transmitting the stolen card data out of Target’s network. Had the company’s security team responded when it was supposed to, the theft that has since engulfed Target, touched as many as one in three American consumers, and led to an international manhunt for the hackers never would have happened at all.
According to the report, even after the malware was installed, there was still time for Target to squelch the attack before the thieves could have absconded with the information. As the malware collected all credit card numbers swiped at U.S. stores during the first two weeks of December, the information was stored on hijacked servers within Target’s network. That means there was time for security officers to stop the attack as the numbers were pooled and before they were moved out of the mainframe. In fact, this could have been done automatically, had Target employees not turned off a feature in FireEye that would have deleted the malware from Target’s servers without human intervention. Turning off this feature is not unheard of, but it does put pressure on security teams to respond quickly.
“Typically, as a security team, you want to have that last decision point of ‘what do I do,'” said Edward Kiledjian, chief information security officer for Bombardier Aerospace, another company that uses FireEye.
It’s not clear why Target didn’t respond to the threat with more urgency. What is clear is the devastating fallout Target, its customers, and banks have faced as a result. Not only were 40 million credit and debit cards compromised, 70 million addresses, phone numbers, and other bits of personal information were also lifted from Target’s system. CNET reports that banks and credits unions have lost roughly $200 million as a result of the attack. Meanwhile, Target’s most recent earnings report shows a 46 percent decline in profits through February, largely attributed to a loss in consumer confidence. And these latest revelations about FireEye warnings being ignored likely won’t help the company in court. More than 90 lawsuits have been filed against Target seeking compensatory damages for negligence.
Tim Sampson is a reporter who focused on the technology, business, and politics beats. He's also an established comedy writer, with work on Comedy Central and in The Onion and ClickHole.