Throughout the total absurdity that’s been the aftermath of Target’s massive data breach in the US, one question has continued to persist unanswered: Why the hell didn’t one of the biggest retailers in the US have sufficient security software? Well, the thing is — it did. It just ignored it.
Thanks to a Bloomberg Businessweek exclusive, we now know that Target could have saved itself (and its 110 million affected customers) billions of dollars’ worth of pain if it had just listened to its malware detection software’s alarms the first time — or even the second, third, fourth, and fifth times.
Instead, Target executives stood idly by as the biggest retail data breach in US history happened right under their noses. Bloomberg writes:
In testimony before Congress, Target has said that it was only after the U.S. Department of Justice notified the retailer about the breach in mid-December that company investigators went back to figure out what happened. What it hasn’t publicly revealed: Poring over computer logs, Target found FireEye’s alerts from Nov. 30 and more from Dec. 2, when hackers installed yet another version of the malware. Not only should those alarms have been impossible to miss, they went off early enough that the hackers hadn’t begun transmitting the stolen card data out of Target’s network.
Yes, despite spending $US1.6 million on security software FireEye, Target decided that it probably wasn’t worth the trouble to actually, you know, use it. Because, even though Target’s hackers were fairly elaborate in their attempt to circumvent Target’s system, FireEye was more than capable of handling it.
The [FireEye] system works by creating a parallel computer network on virtual machines. Before data from the Internet reach Target, they pass through FireEye’s technology, where the hackers’ tools, fooled into thinking they’re in real computers, go to work. The technology spots the attack before it happens, then warns the customer. Unlike antivirus systems, which flag malware from past breaches, FireEye’s isn’t as easily tricked when hackers use novel tools or customise their attack, customers say. “It’s a very smart approach,” says Robert Bigman, the CIA’s former chief information security officer. “When we first started working with them several years ago, no one ever thought of doing it that way.”
So why would Target just completely ignore an obvious data breach when the company itself stands to lose the most in the long run? “Incompetence” might seem a bit harsh, but after realising that Target’s security actively chose to turn off the function that automatically deletes malware, it’s hard to see it any other way.
As the hackers inserted more versions of the same malware (they may have used as many as five, security researchers say), the security system sent out more alerts, each the most urgent on FireEye’s graded scale, says the person who has consulted on Target’s probe. The breach could have been stopped there without human intervention. The system has an option to automatically delete malware as it’s detected. But according to two people who audited FireEye’s performance after the breach, Target’s security team turned that function off… Target had done a months-long test of FireEye that ended in May and was rolling out the technology throughout the company’s massive IT system. It’s possible that FireEye was still viewed with some scepticism by its minders at the time of the hack, say two people familiar with Target’s security operations…
Head on over to Bloomberg to read the full story; the whole thing is fascinating. Deeply, deeply troubling, yes, but fascinating nonetheless. [Bloomberg]