Sophos Cloud Optix
Target’s sophisticated IT security system went on full alert after detecting malware on the company’s network on 30 November 2013 and could have prevented the theft of 40 million credit and debit card numbers a few days later.
But those warnings were ignored, according to a report published yesterday by Bloomberg Businessweek.
The report, which cites interviews with unnamed sources including former Target employees, law enforcement officials, and security analysts, says that not only did Target fail to prevent the breach of its network that allowed the hackers to implant malware, it failed to heed multiple warnings that the malware was on its system before the data leaked out.
Federal law enforcement officials apparently alerted Target on 12 December 2013 that it had found evidence of a breach, but Target still did not act to secure its network until three days later, on 15 December 2013.
By then, criminals had been plundering consumers’ bank accounts and stealing their identities for nearly two weeks.
Target eventually informed customers of the theft of their identities on 19 December 2013.
In a statement to the New York Times, Target spokeswoman Molly Snyder admitted that the company had received multiple warnings that it had been breached, but failed to act.
Through our investigation, we learned that after these criminals entered our network, a small amount of their activity was logged and surfaced to our team. That activity was evaluated and acted upon.
Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow-up.
Into the breach
The initial breach of Target’s network occurred sometime before Thanksgiving last year, when the hackers used stolen credentials from a third party to gain access to the network and plant their malware.
The malware on Target’s point-of-sale (PoS) terminals was likely a type of malware called a RAM scraper, which steals the card data during the brief moment when it is unencrypted – as it is transferred from the PoS terminal to the PoS register itself, which completes the transaction.
According to the Bloomberg Businessweek report, this malware was implanted on the PoS systems sometime before Thanksgiving, and it was waiting for instructions from the hackers before the data theft started taking place.
That happened on 30 November 2013, when the hackers inserted new malware onto the network that received the card data and stored it on a hijacked Target server.
It was this malware that set off the alarms that could have prevented the data theft from happening, according to the report.
It wasn’t until 02 December 2013 that the stolen data began to flow from Target’s own servers to other servers in the US controlled by the hackers, and then out of the country to a server in Russia.
From there, the criminal gang packaged the stolen payment card data for sale on “carder” websites for between $5 and $50. Fraudsters then went to work using the numbers to rack up millions in charges.
Blind eye
Less than a year before the attack on its network, Target implemented a new $1.6 million security system, according to Bloomberg Businessweek.
That system picked up on the network intrusion on 30 November 2013 and again on 02 December 2013, flagging multiple incidents for a special team in Bangalore, India whose job it was to monitor the system.
The team in Bangalore alerted the security team at Target’s corporate headquarters in the US, but the warnings went unheeded.
Not only did Target’s security team fail to act on the warnings from Bangalore, they had disabled a feature on the system that would have automatically eliminated the malware upon detection without any human intervention, Bloomberg Businessweek reported.
Truth and consequences
As the saga of the Target data breach continues to unfold, there will certainly be costs and consequences for Target.
Last week, the company’s chief information officer resigned.
The US Congress is investigating the breach, and has demanded documents from Target about the 30 November 2013 incident and its response. Lawsuits from banks and consumers are entering the courts. And Target has agreed to spend millions on upgrading its PoS system, on top of the money it has undoubtedly suffered in lost business.
Some good may come out of Target’s extremely costly failure – it could act as the impetus to convert US credit and debit cards from magnetic swipe cards to cryptographic chip and PIN cards, which use a unique ID for each transaction rather than the credit card number.
As for the cybercriminals behind the attack, no one has yet been prosecuted.
Hmm…..So Target got a call from someone in India telling them their computer had a virus…? I get 5 of those calls every week. Does this mean I should now be taking notice of them? 😉
Not from somebody, from their own IT department which is in India.
It sounds like Target needs to get a different Security Team.
To be fair to Target’s security team they had people saying something needed to be done. And Target ignored them. I bet those people are the employees who left and got better jobs. Maybe Target needs better people at the top who decide where money is spent.
“To be fair to Target’s security team, they had people saying something needed to be done. And Target ignored them.”
…er, that’s not what the article says. Here’s what it really says:
” Through our investigation, we learned that after these criminals entered our network, a small amount of their activity was logged and surfaced to our team. That activity was evaluated and acted upon.
” Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow-up.”
THE TEAM determined that further action wasn’t needed. I’m not sure where Target draws the boundary around “the team”, but operationally it’s defined as “everyone who had the responsibility AND the authority to respond to the threat in a way that prevented data loss.” If Target separated the authority from the responsibility, they set the system up to FAIL from the get-go.
Having the responsibility without the authority to act is the only possible reason why “the team” might have an excuse to get off the hook. But in that case, whoever set it up that way should get the axe. Giving people authority without responsibility (and vice versa) is the same organizing principle used by political governments, which also fail…for exactly the same reason.
Yeah, but they also need to heed the warnings. Security teams tend to send all kinds of warnings to management, and the vast majority never get high enough in the food chain for action to get taken.
In addition to security people, they need to change their processes such that senior management gets direct reports (summarized, of course).
Two other things are critical: When the official security team flags an issue, it should NEVER be just dropped. Some issues are no-brainers, but even so, there should be a formal process to close out the issue.
Lastly, the CIO and CSO should NOT report through the CFO. While most engineers need quite a bit of “taming” done to them regarding finances, having the CFO checking off on them is pure folly. The CFO’s job is to reduce costs. The CIO’s job is to (among other things) prevent damage. These are not compatible objectives.
Get a good team under the CIO, and they won’t ask for “too much” money. But, with a tech-ignorant CFO, problems that NEED to be corrected can get sidelined.
It is SO EASY with the benefit of 20-20 hindsight to write offhandedly about how technicians should have picked up on alerts, but anyone in an information security position whose job it is to look at real network events, log files and the thousands of alerts that spew out of even the most streamlined security tools will know that claims of “The system alerted them, they should have acted” is completely meaningless.
I work for a small company, yet I have to decide how to review many thousands of alerts daily. The larger the company the more complicated it becomes, even though the analysis teams and the tools brought to bear also grow in size and complexity.
So I take any articles like this Bloomberg story (and I must say, any media write-ups that perpetuate them) to be meaningless at best, and quite frankly misleading portrayals of what security professionals are faced with in the real world.
Gavin
I hear you.
But this was not an ordinary security breach on a typical network. This was a long-running, company-wide malware infection *on the very computers that were specifically entrusted with the job of taking money from customers securely*.
Given the implicit trust that those customers were invited to place in the cash registers that processed their credit card payments, I think you can equally well argue that “the system alerted them, they should have acted” is a reasonable thing to suggest.
It’s not as though shops have signs on their tills saying, “This cash register is connected to the same network as all the other PCs in the company, which is in turn connected to the internet. It is therefore at risk of malware infection that may result in your credit card being cloned. Please be aware that we are faced with many thousands of security alerts daily, so we may not notice malware infections for several weeks. Expecting us to care about your security when we have our own to worry about is, quite frankly, unreasonable. Have a nice day.”
(Maybe a store with such a sign would be a *good* place to shop – no false promises that “your security is important to us” 🙂
You make some good points. But, the key reason I fault Target for this problem is because they didn’t just miss the entries. Their security guys SAW the problems and reported them. But, for whatever reason, the reports did not result in action.
I hope Congress gets tough with Target. They sure had no problem hitting Sony hard when their network was hacked. Give Target a big fine and let companies know that’s what they face too. Make it worth their time and money to get serious on security. I think right now they ignore it because of the cost. If the fine comes out to more they’ll have to start dealing with security.
Hmmmm, even outsourcing their security to another country? All this outsourcing is gonna bite all these companies in the butt eventually, this looks like a start.
To the people who want Target to pay, I have to disagree, although with pain.
What really needs to happen is that they (and all other companies) need to modify their security practices so that this kind of warning doesn’t get skipped/ignored/missed/etc again.
I’m not sure a fine will do that. In fact, a fine will probably cause other companies to clam up. Going public is really important. I don’t care if they get fined or spanked or anything else; I care that they fix the problem in as timely a fashion as they can.
A fine might be useful when the decisions made that corrupted security were financially-induced. “OK, you wanted to save money. Fine, now you can pay a fine that’s 3 times as much.”
But, for decisions that were stupid, or oversights, just fix them. Maybe even submit to monitoring.