Six months before its data breach during and after Thanksgiving 2013h, Target installed malware detection software designed to alert the retailer's security team about such an incident. Bloomberg Businessweek reported:
"... the company began installing a $1.6 million malware detection tool made by the computer security firm FireEye (FEYE), whose customers also include the CIA and the Pentagon. Target had a team of security specialists in Bangalore to monitor its computers around the clock. If Bangalore noticed anything suspicious, Target’s security operations center in Minneapolis would be notified."
When the hackers commenced their attack during the Thanksgiving holiday:
"... FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then … Nothing happened. For some reason, Minneapolis didn’t react to the sirens."
The FireEye software is robust and the breach could have been stopped automatically:
"The system works by creating a parallel computer network on virtual machines. Before data from the Internet reach Target, they pass through FireEye’s technology, where the hackers’ tools, fooled into thinking they’re in real computers, go to work. The technology spots the attack before it happens... The system has an option to automatically delete malware as it’s detected. But according to two people who audited FireEye’s performance after the breach, Target’s security team turned that function off."
Some experts claim that turning off the software's automatic malware deletion feature is fairly standard, since it allows management to make decisions and act. It seems to me, if one turns off that feature, then that makes action by Target management even more important.
The Bloomberg article explored reasons why target management didn't react to alerts by the malware detection software. Target's CEO claimed the retailer complied with the PCI industry standard. The non-reaction to the alerts was significant:
"Poring over computer logs, Target found FireEye’s alerts from Nov. 30 and more from Dec. 2, when hackers installed yet another version of the malware. Not only should those alarms have been impossible to miss, they went off early enough that the hackers hadn’t begun transmitting the stolen card data out of Target’s network...
So, the theft of 40 million credit card numbers and sensitive personal information about another 70 million shoppers could have been avoided. Beth Jacobs, Target's Chief Information Officer (CIO) resigned earlier this month as a result of the data breach. There needs to be accountability and one person is not enough. Internal decision and communication processes need to be reviewed and improved so a non-reaction doesn't happen again. Hopefully, the new CIO will hold accountable responsible members within the retailer's security team.
With numerous lawsuits by banks and shoppers about the retailer's data breach and an ongoing breach investigation, this is far from over.
[Editor's Note: on March 20, I added two paragrahs about Target turning off FireEye's automatic malware deletion feature.]