In the wake of a December security breach that put up to 40 million credit card numbers and 70 million more pieces of customer contact information in the hands of hackers, Target has been doing damage control. It's installed new credit card security systems, and its chief operating officer resigned in early March. But according to a report from Bloomberg Businessweek, the company's state-of-the-art security system detected the hack as soon as it started — and did nothing. Instead, it took two weeks and a warning from federal investigators to plug the hole.
"The security system sent out more alerts, each the most urgent on FireEye's graded scale."
The problem wasn't that Target had weak security in place. It had begun installing FireEye malware software six months before, and as soon as the hackers began uploading their code, alarms allegedly went off. "On November 30th, according to a person who has consulted on Target's investigation but is not authorized to speak on the record, the hackers deployed their custom-made code, triggering a FireEye alert that indicated unfamiliar malware: malware.binary," Businessweek writes. "Details soon followed, including addresses for the servers where the hackers wanted their stolen data to be sent. As the hackers inserted more versions of the same malware ... the security system sent out more alerts, each the most urgent on FireEye's graded scale."
Target's Symantec anti-virus system also apparently found suspicious activity around the same time. Businessweek says that the FireEye software could have even automatically deleted the malware automatically, but the function was turned off, although that's reportedly not unusual for security teams that want to keep a human finger on the kill switch. In this case, though, it appears that nobody stepped in to take action.
It's not clear why exactly Target wouldn't have responded. Businessweek points to the possibility that security staff didn't yet trust the relatively new system, or that a vacant position in the department made it easier to miss the alerts. According to separate reports, at least one security staffer raised concerns two months before the attack and was initially "brushed off," although the exact concerns are unknown and it's possible a review was performed before the attacks. But whatever happened, by the time Target started closing the holes in its security system, the hackers were far ahead.
Who was behind the attack? Since the attack, security expert Brian Krebs has been tracing the malware in question and tracking the stolen credit card numbers. In December, he tentatively identified a hacker known as "Helkern" or Andrey Khodyrevskiy, allegedly the administrator of a site where the credit cards ended up for sale. Businessweek wasn't able to definitively identify Khodyrevskiy as the hacker, but it puts together a strong case.
Update: A Target spokesperson has confirmed the lack of action on initial alerts saying, "with the benefit of hindsight, we are investigating whether if different judgments had been made the outcome may have been different."