How Target detected hack but failed to act -- Bloomberg

Despite alerts received through a $1.6 million malware detection system, Target failed to stop hackers from stealing credit card numbers and personal information of millions of customers, Bloomberg reports.

Target

The November data breach that affected as many as 110 million Target customers could have been stopped in its tracks, according to a story published Thursday by Bloomberg.

Speaking with more than ten former Target employees and eight people with knowledge of the hack, Bloomberg said that Target already had in place a sophisticated malware detection system designed by security firm FireEye. The $1.6 million system was set up specifically to identify hacks and cyberattacks before they had a chance to do real damage.

Highlighting the ingenuity of FireEye's detection system, Bloomberg explained that it creates a parallel network on virtual machines. As such, the hackers are led to believe they're actually breaking into the real thing, thus exposing their attack methods and other breadcrumbs without jeopardizing the true network, at least not initially.

A team of security professionals was set up in Bangalore to monitor Target's network servers and alert security operators in Minneapolis of any detected malware. And this process worked as expected during the November hack. After detecting the hack, the people in Bangalore alerted the people in Minneapolis. But that's where the ball got dropped, according to Bloomberg. The hack continued on its merry way.

Why was the hack successful despite all the warning signs? Bloomberg's sources pointed to a few reasons.

The FireEye system could have been programmed to automatically remove the malware upon detection. But that option was turned off, requiring someone to manually delete it. That's not unusual, according to one security officer interviewed by Bloomberg who explained that security professionals typically want that decision to be in their hands. But that means the security team must act quickly enough.

Two people "familiar with Target's security operations" also told Bloomberg that the company's security people may have viewed FireEye's system with some skepticism at the time of the hack. Testing of the system had just completed in May, leading to its initial rollout. Even further, the manager of Target's security operations center, Brian Bobo, had left the company in October, with no replacement to manage things.

Ultimately, though, the alerts from FireEye and from Target's Symantec Endpoint Protection system should have driven Target's security people to stop the hack before it spread.

"The malware utilized is absolutely unsophisticated and uninteresting," Jim Walter, director of threat intelligence operations at McAfee, told Bloomberg. "If Target had had a firm grasp on its network security environment, they absolutely would have observed this behavior occurring on its network."

Responding to a request for comment on the Bloomberg story, a Target spokesperson sent CNET the following statement:

Despite the fact that that we invested hundreds of millions of dollars in data security, had a robust system in place, and had recently been certified as PCI compliant, the unfortunate reality is that we experienced a data breach.

Like any large company, each week at Target there are a vast number of technical events that take place and are logged. Through our investigation, we learned that after these criminals entered our network, a small amount of their activity was logged and surfaced to our team. That activity was evaluated and acted upon. Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up. With the benefit of hindsight, we are investigating whether, if different judgments had been made the outcome may have been different.

Our investigation is ongoing and we are committed to making further investments in our people, processes and technology with the goal of reinforcing security for our guests.

Updated 12:15 p.m. PT with statement from Target.

Tags:
Security
About the author

Journalist, software trainer, and Web developer Lance Whitney writes columns and reviews for CNET, Computer Shopper, Microsoft TechNet, and other technology sites. His first book, "Windows 8 Five Minutes at a Time," was published by Wiley & Sons in November 2012.

 

Join the discussion

Conversation powered by Livefyre

Show Comments Hide Comments
Latest Galleries from CNET
A roomy range from LG (pictures)
This plain GE range has all of the essentials (pictures)
Sony's 'Interview' heard 'round the world (pictures)
Google Lunar XPrize: Testing Astrobotic's rover on the rocks (pictures)
CNET's 15 favorite How Tos of 2014
CNET's 15 most popular How Tos of 2014