Did Target Ignore Security Warning?Retailer Alerted Weeks Before It Reacted, Report Alleges
Target Corp. is reacting to allegations that it failed to heed an alert warning that malware was detected on the retailer's systems shortly before its massive data breach that compromised 40 million credit and debit cards as well as personal information about some 70 million customers.
See Also: The Global State of Online Digital Trust
In a statement provided to Information Security Media Group on March 13, Target says: "Like any large company, each week at Target there are a vast number of technical events that take place and are logged. Through our investigation, we learned that after these criminals entered our network, a small amount of their activity was logged and surfaced to our team. That activity was evaluated and acted upon."
The statement continues: "Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up. With the benefit of hindsight, we are investigating whether, if different judgments had been made, the outcome may have been different."
Bloomberg Businessweek reported on the apparent early warning of the malware attack, citing 10 former Target employees familiar with the company's data security operation, as well as eight other individuals with specific knowledge of the hack and its aftermath, including security researchers and law enforcement officials.
Businessweek's report says that Target last year installed a malware detection tool from FireEye, and that a team of security specialists in Bangalore monitored Target's computers around the clock.
According to the report, hackers had uploaded exfiltration malware last November. The FireEye tool detected the malware, and the team in Bangalore received an alert, the report states. That team then alerted Target's Minneapolis corporate headquarters, but the alert wasn't acted upon, the report says.
Experts Offer Analysis
FireEye declined to comment about the news report. But some industry sources offered reactions.
Andrew Komarov, CEO of the cybercrime intelligence firm IntelCrawler, says FireEye was probably only one of the providers Target was relying upon for network intrusion detection. While the FireEye malware detection system may have raised a flag, the intrusion may not have been detected by the other security systems, thus leaving Target to believe at the time that the now-confirmed attack was a non-event.
"This fact can be explained from the human factor and potential misconfiguration of security providers and solutions used for events monitoring and suspicious actions detection," he says. "Having such a large infrastructure, various SOCs [service organization controls] and SIEMs [security information event management systems] may be absolutely useless, if they were not configured properly, including specifics in whitelisting policies and intrusion detection."
And because Target was a relatively new user of the FireEye system, it was likely still testing the system's reporting and alerts, says Gartner analyst Avivah Litan.
"It seems that they didn't want to put the FireEye system on auto pilot until they were comfortable with its performance," which is a normal practice for newly implemented security software, Litan says.
As a result, Target may have "missed the boat in not paying closer attention to its alerts," she adds. "In their defense, there are so many components of a security system - it's easy to miss the signals from any one of them."
But the misstep, if there was one, just reinforces why technology alone cannot detect or prevent breaches, Litan says. Adequate monitoring and detection requires an equal mix of technology, process and policies, she stresses.
"In this case, Target apparently fell short on process and policies; they had the technology piece down," Litan says. "This is typical for most large organizations. In fact, I have heard several times and from several sources that in the case of each large breach over the past few years, the alarms and alerts went off but no one paid attention to them."
Ken Baylor, research vice president for NSS Labs, says evidence suggests it was Target's procedures, not its technology, that could have failed in this case. "Expensive technology and personnel are not a solution unless they work together effectively," he says. "Basic procedures such as Target's incident ownership, incident hand-off and issue closure appear fundamentally flawed. This is unfortunately common. A poorly executed security escalation procedure was also the key reason for successful fraud in the Experi-Metal vs. Comerica [case]."
Details surrounding the Target breach have continued to unfold since the retailer confirmed Dec. 19 that its systems had been compromised.
In January, Target announced that its breach had been linked to compromised credentials from one of its vendors (see Target Breach: Credentials Stolen). And in early February, Fazio Mechanical Services, a refrigeration vendor that services Target, acknowledged it had been breached (see Target Vendor Acknowledges Breach).
Earlier this month, Target announced it was overhauling its information security and compliance practices, launching a search for a new chief information officer and creating the position of chief information security officer (see Target to Hire New CIO, Revamp Security).
In the wake of the breach, card issuers have filed a number of lawsuits against Target, claiming the retailer should pay for post-breach expenses, including card reissuance costs. Legal experts say these suits may not reap many rewards for the banks, but they are sending a strong message that card issuers want breached retailers to pay for breach-related expenses (see Suits Against Target Make 'Statement').
News writer Jeffrey Roman contributed to this story.