We all read about the Target security breach that compromised tens of million of customers. Target is back in the news today.
(LA Times) Target Corp. is hiring an IT expert from General Motors Co. to beef up its data security following a massive breach that continues to weigh on its reputation.
Brad Maiorino will head up technology risk and information strategy, a newly created position.
It’s the latest move by Target to tighten security over its huge amount of shopper data. The Minneapolis company has increased monitoring of accounts and implemented new safeguards at its point-of-sale systems.
Target, the nation’s third-largest retailer, has been struggling with the fallout from its disclosure in December that hackers stole credit and debit card information from tens of millions of customers.
Its revenue dropped 5% in the crucial fourth quarter and its chief executive, Gregg Steinhafel, stepped down last month. That followed the exit of Beth Jacob, the retailer’s former chief information officer.
You may recall that the breaches, they were big news this past December, but how exactly did the theft take place?
(Bloomberg Business) The biggest retail hack in U.S. history wasn’t particularly inventive, nor did it appear destined for success. In the days prior to Thanksgiving 2013, someone installed malware in Target’s (TGT) security and payments system designed to steal every credit card used at the company’s 1,797 U.S. stores. At the critical moment—when the Christmas gifts had been scanned and bagged and the cashier asked for a swipe—the malware would step in, capture the shopper’s credit card number, and store it on a Target server commandeered by the hackers.
It’s a measure of how common these crimes have become, and how conventional the hackers’ approach in this case, that Target was prepared for such an attack. Six months earlier the company began installing a $1.6 million malware detection tool made by the computer security firm FireEye (FEYE), whose customers also include the CIA and the Pentagon. Target had a team of security specialists in Bangalore to monitor its computers around the clock. If Bangalore noticed anything suspicious, Target’s security operations center in Minneapolis would be notified.
On Saturday, Nov. 30, the hackers had set their traps and had just one thing to do before starting the attack: plan the data’s escape route. As they uploaded exfiltration malware to move stolen credit card numbers—first to staging points spread around the U.S. to cover their tracks, then into their computers in Russia—FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then …
OK, so Target blew it.
Their focus being directed at realizing sales during the year’s biggest shopping weekend, the company’s security team missed the theft of millions of credit card numbers.
How much was stolen?
Estimates has those numbers at 40 million credit card numbers, along with 70 million addresses, phone numbers and an unknown amount of card holder’s personal information simply flying out of a hacked Target server.
These were not Target credit cards.
The hackers stole every card number swiped in a Target store during 2013’s Black Friday weekend. So if you shopped at any Target store on or about last Thanksgiving, your information was very likely stolen.
Bloomberg Business goes on.
In testimony before Congress, Target has said that it was only after the U.S. Department of Justice notified the retailer about the breach in mid-December that company investigators went back to figure out what happened. What it hasn’t publicly revealed: Poring over computer logs, Target found FireEye’s alerts from Nov. 30 and more from Dec. 2, when hackers installed yet another version of the malware. Not only should those alarms have been impossible to miss, they went off early enough that the hackers hadn’t begun transmitting the stolen card data out of Target’s network. Had the company’s security team responded when it was supposed to, the theft that has since engulfed Target, touched as many as one in three American consumers, and led to an international manhunt for the hackers never would have happened at all.
They missed it not once, but twice.
Here’s a visual to help you along.