Report: Target Missed Its Chance To Prevent Data Breach

Play associated audio

Late last year, during the holiday season, hackers somewhere in Europe stole 40 million credit and debit card numbers and tens of millions of other pieces of personal information from Target customers in the United States. As reported by Bloomberg Businessweek's Michael Riley, the malware attack wasn't particularly sophisticated or unique, and Target's security systems were extensive and ready for such an attack — and yet Target missed the early security warnings.

After the hack was made public, Target customers filed more than 90 lawsuits against the company for negligence and compensation.

Riley, along with three colleagues, interviewed former Target employees with knowledge about the security systems, and people with knowledge of the hack itself and the aftermath. Riley spoke about the investigation with NPR's Melissa Block.

Interview Highlights

On a malware-detection system installed by Target six months before the attack

Security systems are changing and this is one of the cutting-edge, behavior-based ones. The interesting thing about it is, it was initially funded by the CIA. It essentially sets up a series of virtual computers. Anything that's coming in Target's network, in terms of data, goes through these virtual computers, which are configured exactly like Target's own computers. Essentially, what it does [is] it tricks the hackers into believing that they are in Target's networks. It also has this nice trick where it can advance the clock of a computer so when malware comes into a network it can actually see what happens to the malware over a period of days, weeks or even years, in a split second. Once that starts to happen it sends out an alert that says, "Hey, there's a piece of hacking malware in your system, you should go fix it." That part of the function worked.

On why Target delayed announcing the security breach

Whatever was going on inside Target's security team, they didn't recognize this as a serious breach. There was no serious investigation that went on. They didn't go to the server itself to figure out what the malware was doing. What they've said publicly is that they didn't know anything about the hack until the U.S. Attorney and the Secret Service knocked on their door on Dec. 12 and said, "You've got a problem." And it takes them about three days to figure out that all this malware is not just on that one server but on every single or many, many [point of sale] systems through their entire store network in the United States.

On Target's response to the Bloomberg Businessweek investigation

The response was pretty minimal. They pointed out that they're doing a complete review of the security systems that they have in place and that they are trying to figure out how to improve those systems. At this point, it's really the lawyers that have sort of taken control of what their response can or should be.

On hackers in Ukraine and Russia and why the U.S. can't go after them

It's a very boisterous, very well-oiled machine and there are literally millions and millions of credit cards sold around the world every day. They have a very good system for distributing, selling, repackaging. One of the ways that it works is once the credit cards are stolen they get posted on ... websites that really look like They'll run anywhere from $8-$50, depending on the quality of the cards, things like credit limit. And then you'll pop it into an electronic basket just like Amazon and check out. ... On some level these guys have found the perfect crime. You can sit and hack a major Fortune 500 company from your couch in Ukraine.

Copyright 2014 NPR. To see more, visit


'Southside With You' Has Us Asking: Where Is The Love In Black Movies?

The movie Southside with You is opening in theaters. The film follows Michelle and Barack Obama's very first date, and shows something we don't get too see too often in film: black romance.

Ramen Noodles Are Now The Prison Currency Of Choice

Ramen will buy anything from smuggled fruit to laundry services from fellow inmates, a study at one prison finds. It's not just that ramen is tasty: Prisoners say they're not getting enough food.

Episode 721: Unbuilding A City

Why is it so hard to knock down 17 vacant houses in a shrinking city?
WAMU 88.5

Want To Play Video Games Made In D.C.? Here's Your Chance.

An event called District Arcade brings together 23 locally made video games.

Leave a Comment

Help keep the conversation civil. Please refer to our Terms of Use and Code of Conduct before posting your comments.