Target Knew of Data Breach Earlier Than Reported

This is unsettling news but at the same time sadly unexpected. According to a report from BusinessWeek, officials at Target knew about the data breach that led to consumer credit card data being stolen during the most recent holiday shopping season earlier than Target has stated. If true, than it appears that the theft of consumer info, once it was captured, might not have occurred at all. Shockingly, Target did not move soon enough when its systems alerted them to the crime.

target

According to the report Target had been working with diligence to install and test new systems to prevent just such a breach. Protecting the confidence bond between consumer and retailer is important to any business that accepts credit cards. The system Target was using is called FireEye. As designed the system would issue an alert if it noticed a problem. Apparently the FireEye system did just that on November 30, the day that the breach began, but Target officials did not act on those alerts as you can see from this excerpt:

For some reason, Minneapolis didn’t react to the sirens. Bloomberg Businessweek spoke to more than 10 former Target employees familiar with the company’s data security operation, as well as eight people with specific knowledge of the hack and its aftermath, including former employees, security researchers, and law enforcement officials. The story they tell is of an alert system, installed to protect the bond between retailer and customer, that worked beautifully. But then, Target stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes.

When asked to respond for this BusinessWeek report, Target CEO Gregg Steinhafel issued an email that in essence says that until an investigation is complete that Target won’t respond  piecemeal to such requests. Target has stated publicly, in testimony to Congress, that it was only after the US Justice Department notified it about the breach that it went back to review what happened.

The BusinessWeek report concludes that the FireEye system responded appropriately with alerts in enough time to stop the breach before the data thieves had actually had time to move consumer data once it had been captured. If that is the case, than theoretically no data would have been stolen.

Had the company’s security team responded when it was supposed to, the theft that has since engulfed Target, touched as many as one in three American consumers, and led to an international manhunt for the hackers never would have happened at all.

Advertisement

This is a damning report by BusinessWeek about this incident that affected so many. Consumers, banks, and retailers are still dealing with the after effects of the breach. Credit card companies and retailers are looking to change point of purchase systems going forward. A move that many believe could have been done long ago in the US but had not been implemented due to costs involved that threatened profitable point of purchase deals that already existed.

Readers are encouraged to read the entire BusinessWeek report.

  

Comments

  1. MACYS says

    what looser shops there anyways, they deserve what they got for going to the ghetto ass store, walmart is bad enough

  2. Security Guy says

    Target spent $M on detection and left the response process to manual labor. They should have also spent at least 10% of that budget on process and technology to automatically investigate, prioritize, and lock down/contain their detected threats. You would think that they could have asked FireEye who they recommend for automated incident response. The tech is out there and available, and all this craziness and costs could be avoided.

    Think of it this way, Target probably saw 1000s if not 10s of thousands of alerts each day, and they know it. They probably detect more than they can process effectively, and the result is that malware gets through. They probably could have spent a fraction more to get automated incident response technology in house.

Leave a Reply