Problem: Bloomberg Businessweek Case in the News

Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It

The biggest retail hack in U.S. history wasn't particularly inventive, nor did it appear destined for success. In the days prior to Thanksgiving 2013, someone installed malware in Target's (TGT) security and payments system designed to steal every credit card used at the company's 1,797 U.S. stores. At the critical moment-when the Christmas gifts had been scanned and bagged and the cashier asked for a swipe-the malware would step in, capture the shopper's credit card number, and store it on a Target server commandeered by the hackers. On November 30 the hackers had set their traps and had just one thing to do before starting the attack: plan the data's escape route. As they uploaded exfiltration malware to move stolen credit card numbers-first to staging points spread around the United States to cover their tracks, then into their computers in Russia-FireEye, a malware detection tool, spotted them. Target's team of security specialists in Bangalore got an alert and flagged the security team in Minneapolis. And then . . . nothing happened. For some reason Minneapolis didn't react to the sirens. Bloomberg Businessweek spoke to more than 10 former Target employees familiar with the company's data security operation, as well as eight people with specific knowledge of the hack and its aftermath, including former employees, security researchers, and law enforcement officials. The story they tell is of an alert system, installed to protect the bond between retailer and customer, that worked beautifully. But then Target stood by as 40 million credit card numbers-and 70 million addresses, phone numbers, and other pieces of personal information- gushed out of its mainframes.

When asked to respond to a list of specific questions about the incident and the company's lack of an immediate response to it, Target Chairman, President, and Chief Executive Officer Gregg Steinhafel issued an e-mailed statement: "Target was certified as meeting the standard for the payment card industry (PCI) in September 2013. Nonetheless, we suffered a data breach. As a result, we are conducting an end-to-end review of our people, processes and technology to understand our opportunities to improve data security and are committed to learning from this experience. While we are still in the midst of an ongoing investigation, we have already taken significant steps, including beginning the overhaul of our information security structure and the acceleration of our transition to chip-enabled cards. However, as the investigation is not complete, we don't believe it's constructive to engage in speculation without the benefit of the final analysis." In testimony before Congress, Target has said that it was only after the U.S. Department of Justice notified the retailer about the breach in mid- December that company investigators went back to figure out what happened. What it hasn't publicly revealed: Poring over computer logs, Target found FireEye's alerts from November 30 and more from December 2, when hackers installed yet another version of the malware. Not only should those alarms have been impossible to miss, they went off early enough that the hackers hadn't begun transmitting the stolen card data out of Target's network. Had the company's security team responded when it was supposed to, the theft that has since engulfed Target, touched as many as one in three American consumers, and led to an international hunt for the hackers never would have happened at all.

On November 30, according to a person who has consulted on Target's investigation but is not authorized to speak on the record, the hackers deployed their custom code, triggering a FireEye alert that indicated unfamiliar malware: "malware.binary." Details soon followed, including addresses for the servers where the hackers wanted their stolen data to be sent. As the hackers inserted more versions of the same malware (they may have used as many as five, security researchers say), the security system sent out more alerts, each the most urgent on FireEye's graded scale, says the person who has consulted on Target's probe. The breach could have been stopped there without human intervention. The system has an option to automatically delete malware as it's detected. But according to two people who audited FireEye's performance after the breach, Target's security team turned that function off. Edward Kiledjian, chief information security officer for Bombardier Aerospace, an aircraft maker that has used FireEye for more than a year, says that's not unusual. "Typically, as a security team, you want to have that last decision point of ‘what do I do,' " he says. But, he warns, that puts pressure on a team to quickly find and neutralize the infected computers. Source:Michael Riley, Ben Elgin, Dune Lawrence and Carol Matlack, "Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It," Bloomberg Business Week, March 13, 2014. Used with permission of Bloomberg L.P. Copyright © 2014. All rights reserved.

Questions for Discussion: 1. Who are the stakeholders in the Target breach?

2. What is the responsibility of each stakeholder group in the breach?

3. Target Chairman, President, and Chief Executive Officer Gregg Steinhafel is quoted as saying that Target was certified as meeting the legal standard. Does being in compliance with the law and other standards negate any charges of unethical behavior on Target's behalf?

4. What can Target do to prove it will act ethically in the future and to regain the trust of its customers?