Target Knew About Credit Card Hack For 12 Days Before Reacting

In a scathing bit of reportage from Bloomberg Businessweek we discover that retailer Target had received word that its security system had been compromised nearly two weeks before it moved to act on the information.

In fact, last year Target hired FireEye, a security firm, to watch their servers for malware. The firm, which has a Bangalore-based response team, informed Target HQ in Minneapolis that someone had hacked the company on November 30. And no one did anything about it.

In short, according to Bloomberg, “for some reason, Minneapolis didn’t react to the sirens.”

The piece, as a whole, is delightfully detailed. It describes Target’s security system as well as FireEye’s “honeypot” servers that fooled attackers into thinking they had dropped into running servers but instead let them fool around in a sandboxed environment while FireEye watched. Then things got a little hairy.

The breach could have been stopped there without human intervention. The system has an option to automatically delete malware as it’s detected. But according to two people who audited FireEye’s performance after the breach, Target’s security team turned that function off. Edward Kiledjian, chief information security officer for Bombardier Aerospace, an aircraft maker that has used FireEye for more than a year, says that’s not unusual. “Typically, as a security team, you want to have that last decision point of ‘what do I do,’ ” he says. But, he warns, that puts pressure on a team to quickly find and neutralize the infected computers.

What this points to, in the end, is inaction on the part of Target and a clear effort by FireEye to shore up its reputation. If Target couldn’t be bothered to delete the malware, this piece suggests it’s not FireEye’s fault. While it never devolves into throwing anyone under the bus, it’s clear Target’s CIO Beth Jacob, who resigned last week, bore the brunt of the blame.

It just goes to show you that the best laid plans of mice and men gang aft agley. You can read Businessweek’s piece here.