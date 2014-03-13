By Jim Finkle and Susan Heavey
BOSTON/WASHINGTON, March 13 Target Corp's
security software detected potentially malicious
activity during last year's massive data breach, but its staff
decided not to take immediate action, the No. 3. U.S. retailer
said on Thursday.
"With the benefit of hindsight, we are investigating whether
if different judgments had been made the outcome may have been
different," company spokeswoman Molly Snyder said in a
statement.
The disclosure came after Bloomberg Businessweek reported on
Thursday that Target's security team in Bangalore had received
alerts from a FireEye Inc security system on Nov. 30
after the attack was launched and sent them to Target
headquarters in Minneapolis.
The FireEye reports indicated malicious software had
appeared in the system, according to a person whom Bloomberg
Businessweek had consulted on Target's investigation but was not
authorized to speak publicly on the matter.
The alert from FireEye labeled the threat with the generic
name "malware.binary," according to Bloomberg Businessweek. Two
security experts who advise organizations in responding to cyber
attacks and both have experience using FireEye technology said
that security personnel typically don't get excited about such
generic alerts because FireEye does not provide much information
about those threats.
The experts said that they believed it was likely that
Target's security team received hundreds of such alerts on a
daily basis, which would have made it tough to have singled out
that threat as being particularly malicious.
"They are bombarded with alerts. They get so many that they
just don't respond to everything," said Shane Shook, an
executive with Cylance Inc. "It is completely understandable how
this happened."
John Strand, owner of Black Hills Information Security, said
that it was easy to paint Target as being incompetent, given the
severity of the breach, but that it was not fair to do so.
"Target is a huge organization. They probably get hundreds
of these alerts a day," he said. "We can always look for someone
to blame. Sometimes it just doesn't work that way."
Target Chief Financial Officer John Mulligan told a
congressional committee in February that the company only began
investigating after on Dec. 12, when the U.S. Justice Department
warned the company about suspicious activity involving payment
cards. Within three days, nearly all the malicious software had
been removed from Target's cash registers, he said.
FOLLOW-UP DIDN'T SEEM WARRANTED
"Through our investigation, we learned that after these
criminals entered our network, a small amount of their activity
was logged and surfaced to our team. That activity was evaluated
and acted upon," Snyder said. "Based on their interpretation and
evaluation of that activity, the team determined that it did not
warrant immediate follow up."
Target shares fell 2 percent to $59.86 in late afternoon
trading on the New York Stock Exchange after the company
released the statement.
Some 40 million payment card records were stolen from the
retailer, along with 70 million other records with customer
information such as addresses and telephone numbers.
Congress is investigating the breach along with lapses at
other retailers, and credit card companies were pushing for
better security.
Target also faces dozens of potential class-action lawsuits
and action from banks that could seek reimbursement for millions
of dollars in losses due to fraud and the cost of card
replacements.
A spokesman for FireEye declined to comment. FireEye
shares were up 1.8 percent at $79.05 on Nasdaq.
Representatives for the U.S. Secret Service and Verizon
Communications Inc, which are investigating Target's
breach, declined to comment.
FireEye has a function that automatically deletes malicious
software, but it had been turned off by Target's security team
before the hackers' attack, the Bloomberg report said, citing
two people who audited FireEye's role after the breach.
Shook and Strand said that the vast majority of FireEye's
customers turn off that functionality because it is known for
incorrectly flagging data as malware, which can halt email and
Web traffic for business users.
"FireEye ... is cutting edge," Strand said. "But it takes
love and care and feeding. You have to watch it and monitor it."