Report: Target Missed Its Chance To Prevent Data Breach

Enlarge this image toggle caption Damian Dovarganes/AP Damian Dovarganes/AP

Late last year, during the holiday season, hackers somewhere in Europe stole 40 million credit and debit card numbers and tens of millions of other pieces of personal information from Target customers in the United States. As reported by Bloomberg Businessweek's Michael Riley, the malware attack wasn't particularly sophisticated or unique, and Target's security systems were extensive and ready for such an attack — and yet Target missed the early security warnings.

After the hack was made public, Target customers filed more than 90 lawsuits against the company for negligence and compensation.

Riley, along with three colleagues, interviewed former Target employees with knowledge about the security systems, and people with knowledge of the hack itself and the aftermath. Riley spoke about the investigation with NPR's Melissa Block.

Interview Highlights

On a malware-detection system installed by Target six months before the attack

Security systems are changing and this is one of the cutting-edge, behavior-based ones. The interesting thing about it is, it was initially funded by the CIA. It essentially sets up a series of virtual computers. Anything that's coming in Target's network, in terms of data, goes through these virtual computers, which are configured exactly like Target's own computers. Essentially, what it does [is] it tricks the hackers into believing that they are in Target's networks. It also has this nice trick where it can advance the clock of a computer so when malware comes into a network it can actually see what happens to the malware over a period of days, weeks or even years, in a split second. Once that starts to happen it sends out an alert that says, "Hey, there's a piece of hacking malware in your system, you should go fix it." That part of the function worked.

On why Target delayed announcing the security breach

Whatever was going on inside Target's security team, they didn't recognize this as a serious breach. There was no serious investigation that went on. They didn't go to the server itself to figure out what the malware was doing. What they've said publicly is that they didn't know anything about the hack until the U.S. Attorney and the Secret Service knocked on their door on Dec. 12 and said, "You've got a problem." And it takes them about three days to figure out that all this malware is not just on that one server but on every single or many, many [point of sale] systems through their entire store network in the United States.

On Target's response to the Bloomberg Businessweek investigation

The response was pretty minimal. They pointed out that they're doing a complete review of the security systems that they have in place and that they are trying to figure out how to improve those systems. At this point, it's really the lawyers that have sort of taken control of what their response can or should be.

On hackers in Ukraine and Russia and why the U.S. can't go after them

It's a very boisterous, very well-oiled machine and there are literally millions and millions of credit cards sold around the world every day. They have a very good system for distributing, selling, repackaging. One of the ways that it works is once the credit cards are stolen they get posted on ... websites that really look like Amazon.com. They'll run anywhere from $8-$50, depending on the quality of the cards, things like credit limit. And then you'll pop it into an electronic basket just like Amazon and check out. ... On some level these guys have found the perfect crime. You can sit and hack a major Fortune 500 company from your couch in Ukraine.