Just six weeks before hackers installed malicious malware into Target’s security and payments system designed to steal every credit card used at the company’s 1,797 U.S. stores, the company began installing a $1.6 million malware detection tool made by the computer security firm FireEye. Target had a team of security specialists in Bangalore to monitor its computers around the clock. If Bangalore noticed anything suspicious, Target’s security operations center in Minneapolis would be notified.
Twice, on November 30 and again on December 2, Bangalore got an alert from FireEye and flagged the security team in Minneapolis, and both times warnings were unheeded. Not only should those alarms have been impossible to miss, they went off before the hackers began transmitting stolen card data out of Target’s network.
Had the company’s security team responded when it was supposed to, the theft never would have happened at all.
Target claims that it receives hundreds of alerts daily from FireEye. The alerts this time labeled the threat with the generic name “malware.binary,” which does not provide much information about the threat. FireEye has a function that automatically deletes malicious software, but it had been turned off by Target’s security team before the hackers’ attack. Most of FireEye’s customers turn off that functionality because it is known for incorrectly flagging data as malware, which can halt email and Web traffic for business users.
For the next two weeks, when a Target credit card was swiped, the malware would step in, capture the shopper’s credit card number, and store it on a Target server commandeered by the hackers. The data was then transmitted around the globe.
It was only after federal officials notified Target on December 12 of unusual cyber activity involving credit card payments at Target stores that company investigators went back to find out what had happened. By then, 40 million payment card records were stolen from the retailer, along with 70 million other records with customer information such as addresses and telephone numbers.
In addition to a Congressional investigation, Target also faces dozens of potential class-action lawsuits and action from banks that could seek reimbursement for millions of dollars in losses due to fraud and the cost of card replacements.