How Target detected hack but failed to act -- Bloomberg

Despite alerts received through a $1.6 million malware detection system, Target failed to stop hackers from stealing credit card numbers and personal information of millions of customers, Bloomberg reports.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
Lance Whitney
3 min read

The November data breach that affected as many as 110 million Target customers could have been stopped in its tracks, according to a story published Thursday by Bloomberg.

Speaking with more than ten former Target employees and eight people with knowledge of the hack, Bloomberg said that Target already had in place a sophisticated malware detection system designed by security firm FireEye. The $1.6 million system was set up specifically to identify hacks and cyberattacks before they had a chance to do real damage.

Highlighting the ingenuity of FireEye's detection system, Bloomberg explained that it creates a parallel network on virtual machines. As such, the hackers are led to believe they're actually breaking into the real thing, thus exposing their attack methods and other breadcrumbs without jeopardizing the true network, at least not initially.

A team of security professionals was set up in Bangalore to monitor Target's network servers and alert security operators in Minneapolis of any detected malware. And this process worked as expected during the November hack. After detecting the hack, the people in Bangalore alerted the people in Minneapolis. But that's where the ball got dropped, according to Bloomberg. The hack continued on its merry way.

Why was the hack successful despite all the warning signs? Bloomberg's sources pointed to a few reasons.

The FireEye system could have been programmed to automatically remove the malware upon detection. But that option was turned off, requiring someone to manually delete it. That's not unusual, according to one security officer interviewed by Bloomberg who explained that security professionals typically want that decision to be in their hands. But that means the security team must act quickly enough.

Two people "familiar with Target's security operations" also told Bloomberg that the company's security people may have viewed FireEye's system with some skepticism at the time of the hack. Testing of the system had just completed in May, leading to its initial rollout. Even further, the manager of Target's security operations center, Brian Bobo, had left the company in October, with no replacement to manage things.

Ultimately, though, the alerts from FireEye and from Target's Symantec Endpoint Protection system should have driven Target's security people to stop the hack before it spread.

"The malware utilized is absolutely unsophisticated and uninteresting," Jim Walter, director of threat intelligence operations at McAfee, told Bloomberg. "If Target had had a firm grasp on its network security environment, they absolutely would have observed this behavior occurring on its network."

Responding to a request for comment on the Bloomberg story, a Target spokesperson sent CNET the following statement:

Despite the fact that that we invested hundreds of millions of dollars in data security, had a robust system in place, and had recently been certified as PCI compliant, the unfortunate reality is that we experienced a data breach.

Like any large company, each week at Target there are a vast number of technical events that take place and are logged. Through our investigation, we learned that after these criminals entered our network, a small amount of their activity was logged and surfaced to our team. That activity was evaluated and acted upon. Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up. With the benefit of hindsight, we are investigating whether, if different judgments had been made the outcome may have been different.

Our investigation is ongoing and we are committed to making further investments in our people, processes and technology with the goal of reinforcing security for our guests.

Updated 12:15 p.m. PT with statement from Target.