backtop


Print 8 comment(s) - last by thehadgi.. on Mar 15 at 11:41 AM

It received notifications of suspicious activity on November 30

Target's massive data breach over the holiday season last year could've been stopped earlier had the company's officials responded to warnings. 
 
According to Bloomberg's BusinessWeek, Target officials received warnings of suspicious malware on November 30, 2013, indicating a possible data breach. However, they moved too slowly in responding to these warnings, leading to millions of customer credit/debit cards and personal information being stolen. 
 
Target possesses a malware detection tool made by FireEye Inc., which is ran by security specialists in Bangalore, India. These specialists monitor Target's digital activity, and on November 30, they sent notifications to Target officials in Minneapolis about the malware. 
 
The specialists in India sent additional warnings on December 2 as additional malware surfaced. FireEye's security system has the ability to automatically delete such malware, but Target’s security team turned off the feature. This means the malware had to be deleted manually, but the Target officials in Minneapolis failed to do so right away. 
 
Had they done so, the massive breach could have been stopped much sooner, sparing many millions of customers. 
 
The breach ended up running from November 27 to December 18, where 40 million credit and debit card records were stolen and another 70 million records with customer information like addresses and telephone numbers were taken. 


[SOURCE: NPR]

Last week, Target's Chief Information Officer Beth Jacob resigned in the wake of the data breach. Jacob held the CIO position since 2008, where she was in charge of Target's website, internal computer systems, and everything in between. 

When the data breach happened last year, a lot of the blame likely fell on Jacob's shoulders, which could be the reason for her resignation. 

Since the breach, Target has been working to make fixes to ensure that it won't happen again. One of these fixes is a call for smartcards, which could replace current credit and debit cards. 

Smartcards, unlike current credit and debit cards used in the U.S., have a tiny microprocessor chip that encrypts the user's personal data shared with the merchant's sales terminals. Traditional credit and debit cards have a magnetic strip instead, which hold's the user's information, but can clearly be compromised. If a smartcard number is stolen, it's useless without the microchip. 

To show Target's dedication to the smartcard cause, it's speeding up its goal of bringing its REDcard smartcards to all Target stores by early 2015 -- six months earlier than its previous goal. The chain is making a $100 million investment in the technology to accomplish this goal.  

In addition to smartcards, Target is changing technology and security roles within the company, such as separating the responsibility for assurance risk and compliance (compliance duties at Target were overseen by Target's current vice president of assurance risk and compliance). 

Source: BusinessWeek



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

As An IT Manager This Means Nothing
By Arsynic on 3/13/2014 2:24:17 PM , Rating: 2
Our mulit-layered systems alert us of potential malicious activity all the time. We get hundreds of alerts per week. A good portion of these are false positives. As a habit, I block everything suspicious that comes from specific countries like Russia or China. Target being an online retailer has no such luxury. They can't afford to block out entire countries.

So someone has to filter through the thousands of alerts and figure out which ones are legit and which aren't. When I originally heard this story, I thought that Target's internal IT team brought this to management and they ignored it. I didn't know it was a vendor who is now just covering their asses (as they should). With the thousands of false positives, who would sit there and filter through each of those in a timely manner?




RE: As An IT Manager This Means Nothing
By amanojaku on 3/13/2014 3:34:07 PM , Rating: 2
I disagree. Target contracted a security company to monitor its systems. These are not user desktops; they are credit card processing stations and databases containing sensitive customer information. Even a false positive should be checked.

The intrusions did not come from the outside. The intruders were already in through a trusted 3rd party network, so the attacks would not register as coming from Russia. The data didn't even go directly TO Russia; they went to an intermediate set of US systems before going to Moscoq.

The someone filtering the alerts is FireEye, whose warning Target ignored. The first warning was Nov. 30. The second was Dec. 2. Data didn't leave Target until Dec. 2, when the second alert was generated.

It looks like FireEye did its job correctly. Target could have stopped this.


RE: As An IT Manager This Means Nothing
By Arsynic on 3/14/2014 9:53:03 AM , Rating: 3
It's a situation of the Boy Who Cried Wolf. When you have thousands of alerts per day, the majority of which are false positives, who will filter through all of that? Fire Eye's job was to send out alerts which were most likely automated. It was up to Target to decide which of those alerts were actionable.

In the perfect world, all organizations would investigate and scrutinize every single IT alert. But in the real world with limited resources, who is going to do this. That was my point.


By thehadgi on 3/15/2014 11:41:36 AM , Rating: 2
I'm not disagreeing on the fact that assessing threats involves a large amount of resources.

But regardless of the amount of effort involved in evaluating potential threats, it's still the simple truth: As a business, you have a financial responsibility to your shareholders to ensure an appropriate risk-assessment for investing in security evaluation of threats. Target failed in this case, losing millions in sales and hurting its market standing. This failure stems from executive management/direction; as a manager you have to work within your means provided from above, thus I think it's appropriate the CIO stepped down.

Excuses for amount of effort involved just is not going to cut it when large stakes are involved, especially in hindsight. This may be a sign that companies today need to re-assess their security risk analysis and determine what an appropriate level of investment would be.


Better Idea
By Grast5150 on 3/13/2014 2:10:58 PM , Rating: 2
I am justifing my comment on my understanding of how the individuals gained access to the TARGET network.

Interesting idea, do not connect third party companies such as HVAC monitoring systems to your corporate network with out completely securing away from the production network.

It seems to me that better network understanding and industry standard practices would have prevented this breach instead of SMART Credit Cards. The issue is not the credit or ATM cards but the lack of security standards.

later!!!!




RE: Better Idea
By Arsynic on 3/13/2014 2:32:06 PM , Rating: 4
You don't understand PR and politics do you? It's not about what's practical. It's about what sounds sexy in the media. SmartCards sound sexy. The media doesn't want to hear boring complicated stuff like "securing B2B EDI transactions and expanding our information security policy to cover business associates."

SmartCards wouldn't have protected Target from the breach, it would have just made the customer data more difficult to obtain.


FireEye
By aurareturn on 3/13/2014 3:47:40 PM , Rating: 2
I have a friend working there. Seems like they're doing their jobs well.




Heck of a job, Brownie!
By TechIsGr8 on 3/14/2014 10:16:43 AM , Rating: 2
quote:
Target's Chief Information Officer Beth Jacob resigned in the wake of the data breach


Nice work, Beth. Wonder where she'll end up, likely overpaid, back in a cushy C-suite position again. She should not be in a leadership position in IT ever again, this was an egregious error in judgment and practice.




"When an individual makes a copy of a song for himself, I suppose we can say he stole a song." -- Sony BMG attorney Jennifer Pariser














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki