Target ignored warnings of the massive credit card hack from the $1.6m security system it had installed specifically to watch out for data thefts, insiders claims, with signs of abuse being flagged weeks before the company recognized the breach. 40m credit card numbers, as well as the personal details of around 70m customers, were stolen late in 2013, costing the retailer $61m already in setting up advice hotlines and taking other measures, but which could well run to the billions once compensation and lawsuits are settled.
That could have been avoided, or at least mitigated, had Target heeded the warnings issued by the very systems it had put into place earlier that year to watch out for data theft attempts. Midway through 2013, the company installed malware detection from FireEye, Bloomberg Businessweek reports, along with 24/7 monitoring from a team in Bangalore to track the data and alert the retailer of anything suspicious.
However, despite that system catching the first installation attempts of the malware on November 30th – weeks before Target admitted publicly that there had been a breach – and warning Target’s security team in Minneapolis, no response was made.
According to eighteen people familiar with Target’s systems and the breach itself that Bloomberg Businessweek spoke to, the notifications were simply overlooked. That’s despite a second warning, on December 2nd, of fresh malware being injected.
Had Target reacted when the hacks were first flagged, it could have prevented the leak before any customer data was stolen.
Target Chairman, President, and CEO Gregg Steinhafel has declined to comment on specifics of the breach, however, arguing that the retailer is still in the midst of figuring out what went wrong and what needs to change.
“While we are still in the midst of an ongoing investigation, we have already taken significant steps, including beginning the overhaul of our information security structure and the acceleration of our transition to chip-enabled cards” he pointed out. “However, as the investigation is not complete, we don’t believe it’s constructive to engage in speculation without the benefit of the final analysis.”
The hackers are believed to have used the security credentials of one of Target’s HVAC vendors to get into the company’s systems, installing malware that intercepted and collected credit card details during the checkout process. Target was only notified of the breach on December 12th, almost two weeks after FireEye first flagged malware.