Report: How Target blew the data breach

Bloomberg’s Businessweek reports today that Target was ready for just the kind of data breach that lifted the personal data of millions of its customers, installing a $1.6 million malware detection tool made by a firm that has handled security for the Pentagon and the CIA. It has a team in India to monitor its computer systems around the clock, just in case someone tried to break in.

When the thieves started extracting data, the company saw the alarms go off, BusinessWeek reports. And a security team in Minneapolis was alerted.

So what happened? Nothing.

For some reason, Minneapolis didn’t react to the sirens. Bloomberg Businessweek spoke to more than 10 former Target employees familiar with the company’s data security operation, as well as eight people with specific knowledge of the hack and its aftermath, including former employees, security researchers, and law enforcement officials. The story they tell is of an alert system, installed to protect the bond between retailer and customer, that worked beautifully. But then, Target stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes.

In fact, Businessweek says, the breach could have been stopped without any humans doing anything…

The system has an option to automatically delete malware as it’s detected. But according to two people who audited FireEye’s performance after the breach, Target’s security team turned that function off. Edward Kiledjian, chief information security officer for Bombardier Aerospace, an aircraft maker that has used FireEye for more than a year, says that’s not unusual. “Typically, as a security team, you want to have that last decision point of ‘what do I do,’ ” he says. But, he warns, that puts pressure on a team to quickly find and neutralize the infected computers.

The magazine suggests that humans at Target may not have trusted the computer system.

Related video: The editor on the story talks with CBS This Morning.

  • joetron2030

    As an IT manager, keenly aware of security issues, I can understand disabling the option to automatically remove something. There are way too many potentials for damage to a false-positive. Especially when it’s involved with a system as important to your operations as POS (“point of sale” in this case, ) terminals.

    But, it’s rightly pointed out in the comments by Mr. Kiledjian that it then requires your staff to be on top of researching all false-positives.