Target’s sophisticated IT security system went on full alert after detecting malware on the company’s network on 30 November 2013 and could have prevented the theft of 40 million credit and debit card numbers a few days later.
But those warnings were ignored, according to a report published yesterday by Bloomberg Businessweek.
The report, which cites interviews with unnamed sources including former Target employees, law enforcement officials, and security analysts, says that not only did Target fail to prevent the breach of its network that allowed the hackers to implant malware, it failed to heed multiple warnings that the malware was on its system before the data leaked out.
Federal law enforcement officials apparently alerted Target on 12 December 2013 that it had found evidence of a breach, but Target still did not act to secure its network until three days later, on 15 December 2013.
By then, criminals had been plundering consumers’ bank accounts and stealing their identities for nearly two weeks.
Target eventually informed customers of the theft of their identities on 19 December 2013.
In a statement to the New York Times, Target spokeswoman Molly Snyder admitted that the company had received multiple warnings that it had been breached, but failed to act.
Through our investigation, we learned that after these criminals entered our network, a small amount of their activity was logged and surfaced to our team. That activity was evaluated and acted upon.
Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow-up.
Into the breach
The initial breach of Target’s network occurred sometime before Thanksgiving last year, when the hackers used stolen credentials from a third party to gain access to the network and plant their malware.
The malware on Target’s point-of-sale (PoS) terminals was likely a type of malware called a RAM scraper, which steals the card data during the brief moment when it is unencrypted – as it is transferred from the PoS terminal to the PoS register itself, which completes the transaction.
According to the Bloomberg Businessweek report, this malware was implanted on the PoS systems sometime before Thanksgiving, and it was waiting for instructions from the hackers before the data theft started taking place.
That happened on 30 November 2013, when the hackers inserted new malware onto the network that received the card data and stored it on a hijacked Target server.
It was this malware that set off the alarms that could have prevented the data theft from happening, according to the report.
It wasn’t until 02 December 2013 that the stolen data began to flow from Target’s own servers to other servers in the US controlled by the hackers, and then out of the country to a server in Russia.
From there, the criminal gang packaged the stolen payment card data for sale on “carder” websites for between $5 and $50. Fraudsters then went to work using the numbers to rack up millions in charges.
Less than a year before the attack on its network, Target implemented a new $1.6 million security system, according to Bloomberg Businessweek.
That system picked up on the network intrusion on 30 November 2013 and again on 02 December 2013, flagging multiple incidents for a special team in Bangalore, India whose job it was to monitor the system.
The team in Bangalore alerted the security team at Target’s corporate headquarters in the US, but the warnings went unheeded.
Not only did Target’s security team fail to act on the warnings from Bangalore, they had disabled a feature on the system that would have automatically eliminated the malware upon detection without any human intervention, Bloomberg Businessweek reported.
Truth and consequences
As the saga of the Target data breach continues to unfold, there will certainly be costs and consequences for Target.
Last week, the company’s chief information officer resigned.
The US Congress is investigating the breach, and has demanded documents from Target about the 30 November 2013 incident and its response. Lawsuits from banks and consumers are entering the courts. And Target has agreed to spend millions on upgrading its PoS system, on top of the money it has undoubtedly suffered in lost business.
Some good may come out of Target’s extremely costly failure – it could act as the impetus to convert US credit and debit cards from magnetic swipe cards to cryptographic chip and PIN cards, which use a unique ID for each transaction rather than the credit card number.
As for the cybercriminals behind the attack, no one has yet been prosecuted.