This week's cover story for Bloomberg Businessweek is disheartening, and could possibly send even more consumer ill will in the direction of Target Corp.
According to the story "Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It," the retailer had a fully functioning anti-malware system in place before the breach occurred, and that system did its job — but was ignored.
Earlier in 2013, Target spent $1.6 million on an anti-malware solution from the security company FireEye, which also provides its technology to the CIA, among others. On Nov. 20, the system detected the final component of the multi-stage malware being installed, and notified the security team at the retailer's home office in Minneapolis. And then, "for some reason, Minneapolis didn't react to the sirens," the report says.
On Nov. 30, according to a person who has consulted on Target's investigation but is not authorized to speak on the record, the hackers deployed their custom-made code, triggering a FireEye alert that indicated unfamiliar malware: "malware.binary."
Details soon followed, including addresses for the servers where the hackers wanted their stolen data to be sent. As the hackers inserted more versions of the same malware (they may have used as many as five, security researchers say), the security system sent out more alerts, each the most urgent on FireEye's graded scale, says the person who has consulted on Target's probe.
The breach could have been stopped there without human intervention. The system has an option to automatically delete malware as it's detected. But according to two people who audited FireEye's performance after the breach, Target's security team turned that function off.
Edward Kiledjian, chief information security officer for Bombardier Aerospace, an aircraft maker that has used FireEye for more than a year, says that's not unusual. "Typically, as a security team, you want to have that last decision point of 'what do I do,'" he says. But, he warns, that puts pressure on a team to quickly find and neutralize the infected computers.
Data started flowing out of the breach on Dec. 2, and Target wasn't notified by federal law enforcement about it until Dec. 12. Even then, the company took three days to confirm the breach. By the time the hole had been plugged, more than 110 million consumer records had been stolen — resulting in the fourth-largest data breach in history.