Information Security News
mailing list archives
Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It
From: InfoSec News <alerts () infosecnews org>
Date: Fri, 14 Mar 2014 08:51:55 +0000 (UTC)
By Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack
Bloomberg Businessweek Technology
March 13, 2014
The biggest retail hack in U.S. history wasn’t particularly inventive, nor
did it appear destined for success. In the days prior to Thanksgiving
2013, someone installed malware in Target’s (TGT) security and payments
system designed to steal every credit card used at the company’s 1,797
U.S. stores. At the critical moment—when the Christmas gifts had been
scanned and bagged and the cashier asked for a swipe—the malware would
step in, capture the shopper’s credit card number, and store it on a
Target server commandeered by the hackers.
It’s a measure of how common these crimes have become, and how
conventional the hackers’ approach in this case, that Target was prepared
for such an attack. Six months earlier the company began installing a $1.6
million malware detection tool made by the computer security firm FireEye
(FEYE), whose customers also include the CIA and the Pentagon. Target had
a team of security specialists in Bangalore to monitor its computers
around the clock. If Bangalore noticed anything suspicious, Target’s
security operations center in Minneapolis would be notified.
On Saturday, Nov. 30, the hackers had set their traps and had just one
thing to do before starting the attack: plan the data’s escape route. As
they uploaded exfiltration malware to move stolen credit card
numbers—first to staging points spread around the U.S. to cover their
tracks, then into their computers in Russia—FireEye spotted them.
Bangalore got an alert and flagged the security team in Minneapolis. And
For some reason, Minneapolis didn’t react to the sirens. Bloomberg
Businessweek spoke to more than 10 former Target employees familiar with
the company’s data security operation, as well as eight people with
specific knowledge of the hack and its aftermath, including former
employees, security researchers, and law enforcement officials. The story
they tell is of an alert system, installed to protect the bond between
retailer and customer, that worked beautifully. But then, Target stood by
as 40 million credit card numbers—and 70 million addresses, phone numbers,
and other pieces of personal information—gushed out of its mainframes.
Find the best IT Security talent without breaking your recruiting budget.
Jobs cross-posted to Simply Hired, Facebook and LinkedIn.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/
- Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It InfoSec News (Mar 14)