If your credit card number is one of the 40 million that were stolen from Target by hackers last November, you’d better sit down, because you’re not going to like what you read next.
According to an eye-opening report today by BloombergBusinessweek, Target not only failed to protect its customers’ financial information from hackers — it was also warned about the breach with plenty of time to prevent anyone from being affected but did nothing.
Last spring, the retail chain installed a $1.6 million threat-prevention system from security firm FireEye, whose other customers include the Pentagon and the CIA. The system worked exactly as it was supposed to, detecting an attack before any Target data was stolen. But when FireEye’s software warned the $73 billion retailer that an attack was under way, Target ignored it.
Here are some of the uglier allegations reported by Bloomberg:
1. FireEye issued multiple warnings on Nov. 30 and Dec. 2 that data-stealing malware had been installed on Target’s servers. They went unheeded.
2. Target was also alerted to suspicious malware-like behavior by its Symantec antivirus software on Black Friday, Nov. 29. No response from Target.
3. FireEye’s system has an option to automatically delete malware after it is detected. Target had turned that feature off.
4. The manager of Target’s security operations center in Minneapolis left his post in October. Target still hadn’t replaced him by the time of the attacks.
5. Attackers gained access to Target’s servers via logins obtained from one of its HVAC vendors, which should have been walled off from access to sensitive financial information. Per Bloomberg’s report: “Target’s walls obviously had holes.”
6. The stolen data sat on hijacked Target servers for nearly two weeks before hackers finished siphoning it off to servers in Russia — plenty of time to delete it before the bad guys got to it. But nobody did.
7. Target was notified by the Department of Justice about the attack on Dec. 12, but it still took three days to remove the malware from its systems.
8. Target then took another four days to notify the public. By then, customers had already begun reporting fraudulent charges on their accounts.
9. The attackers sold the stolen credit card numbers to thieves located in the same geographical areas as their victims, to avoid setting off bank fraud alerts.
10. The attackers were rank amateurs who left clues to their identities inside the malware they were using, as well as the names and logons of the servers they were using to store the stolen data. By the time investigators found this info, though, the data was long gone.
Target is hardly the only major American corporation to do a poor job of protecting its customers’ data, nor is the theft of 40 million card numbers the biggest data breach to occur. But this tragedy of errors is no doubt a large factor in why Target Chief Information Officer Beth Jacob resigned earlier this month.
Her boss, CEO Gregg Steinhafel, still has his job, though.
Kudos to Bloomberg reporters Michael Riley, Ben Elgin, Dune Lawrence and Carol Matlack for nailing this story.