Businessweek: Target Didn't Act On Data Breach Alerts

The report alleges Target ignored security alerts before the massive data breach that compromised the information of tens of millions of customers.
Posted at 10:08 PM, Mar 13, 2014

Target announced back in February the retail company was planning to install new anti-fraud technology in the wake of a massive data theft that affected tens of millions of customers. But Businessweek reported Thursday all of the trouble could've been avoided. 

"Hackers began capturing credit card data Nov. 27. Three days later, a sophiscated security tool made by FireEye spotted the malware." 

Target reportedly spent $1.6 million on FireEye, which is used by the Pentagon and the CIA, then hired security personnel in Bangalore, India to monitor the software. 

Businessweek says the specialists sent the alert to Target's security operations center in Minnesota. Then, nothing. "Target stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes."

Bloomberg Businessweek editor Josh Tyrangiel told CBS many have speculated that the software was too complicated or too new for Target to respond effectively, but added the paper's investigation also revealed something peculiar. 

"Not only did it ignore its own alerts, there's an automated system within FireEye that could've detected and eradicated the malware, the bad software. That feature had been turned off on the system."

According to Mashable, the report contradicts what Target has previously said about the breach. "In a Congressional testimony, the company claims that it only learned of the attack in mid-December, after the U.S. Department of Justice caught it and contacted Target. However, Businessweek cites computer logs that show there were FireEye alerts from Nov. 30 and then Dec. 2, when a second attack occurred. "

Businessweek also reported on a similar misfortune with Neiman Marcus' data breach. The high-end retailer reportedly missed 60,000 security alerts after malware began stealing user information from their stores. (Via Flickr / rocor)

Gizmodo reported the hackers gave the malicious software a name similar to Neiman Marcus' official payment software "making it tough to distinguish suspicious activity from false positives." What's more: the system set to automatically block harmful software was also turned off. 

CNET received a statement from Target regarding the Businessweek story. The statement reads in part, "With the benefit of hindsight, we are investigating whether, if different judgments had been made the outcome may have been different. Our investigation is ongoing and we are committed to making further investments in our people, processes and technology with the goal of reinforcing security for our guests."