Report: Target Missed Its Chance To Prevent Data Breach | WAMU 88.5 - American University Radio

Report: Target Missed Its Chance To Prevent Data Breach

Play associated audio

Late last year, during the holiday season, hackers somewhere in Europe stole 40 million credit and debit card numbers and tens of millions of other pieces of personal information from Target customers in the United States. As reported by Bloomberg Businessweek's Michael Riley, the malware attack wasn't particularly sophisticated or unique, and Target's security systems were extensive and ready for such an attack — and yet Target missed the early security warnings.

After the hack was made public, Target customers filed more than 90 lawsuits against the company for negligence and compensation.

Riley, along with three colleagues, interviewed former Target employees with knowledge about the security systems, and people with knowledge of the hack itself and the aftermath. Riley spoke about the investigation with NPR's Melissa Block.


Interview Highlights

On a malware-detection system installed by Target six months before the attack

Security systems are changing and this is one of the cutting-edge, behavior-based ones. The interesting thing about it is, it was initially funded by the CIA. It essentially sets up a series of virtual computers. Anything that's coming in Target's network, in terms of data, goes through these virtual computers, which are configured exactly like Target's own computers. Essentially, what it does [is] it tricks the hackers into believing that they are in Target's networks. It also has this nice trick where it can advance the clock of a computer so when malware comes into a network it can actually see what happens to the malware over a period of days, weeks or even years, in a split second. Once that starts to happen it sends out an alert that says, "Hey, there's a piece of hacking malware in your system, you should go fix it." That part of the function worked.

On why Target delayed announcing the security breach

Whatever was going on inside Target's security team, they didn't recognize this as a serious breach. There was no serious investigation that went on. They didn't go to the server itself to figure out what the malware was doing. What they've said publicly is that they didn't know anything about the hack until the U.S. Attorney and the Secret Service knocked on their door on Dec. 12 and said, "You've got a problem." And it takes them about three days to figure out that all this malware is not just on that one server but on every single or many, many [point of sale] systems through their entire store network in the United States.

On Target's response to the Bloomberg Businessweek investigation

The response was pretty minimal. They pointed out that they're doing a complete review of the security systems that they have in place and that they are trying to figure out how to improve those systems. At this point, it's really the lawyers that have sort of taken control of what their response can or should be.

On hackers in Ukraine and Russia and why the U.S. can't go after them

It's a very boisterous, very well-oiled machine and there are literally millions and millions of credit cards sold around the world every day. They have a very good system for distributing, selling, repackaging. One of the ways that it works is once the credit cards are stolen they get posted on ... websites that really look like Amazon.com. They'll run anywhere from $8-$50, depending on the quality of the cards, things like credit limit. And then you'll pop it into an electronic basket just like Amazon and check out. ... On some level these guys have found the perfect crime. You can sit and hack a major Fortune 500 company from your couch in Ukraine.

Copyright 2014 NPR. To see more, visit http://www.npr.org/.

WAMU 88.5

Art Beat With Lauren Landau, June 2, 2015

You can see an exhibit paired with its ornate inspiration. Works made with a special technique are on view at a local museum.
NPR

A Tome For Peruvian Food, By Its Most Acclaimed Ambassador

Gaston Acurio is the world's premiere cheerleader for Peruvian cuisine, and he's just written a cookbook. It features 500 recipes from around the country — including more than 20 kinds of ceviche.
NPR

U.S. House Calls On Iran To Release American Political Prisoners

Congress may soon pass a resolution calling on Iran to free several Americans being held prisoner there, and demanding information about a former FBI agent who went missing.
NPR

The Quantified Student: An App That Predicts GPA

Researchers found that a phone's activity tracker can automatically predict students' school performance.

Leave a Comment

Help keep the conversation civil. Please refer to our Terms of Use and Code of Conduct before posting your comments.