Target Corp. admitted Thursday that its online security protection detected potentially malicious activity in connection with the massive company data breach last year, but staff ultimately decided not to take immediate action, Reuters reports.
The news service says Target made the disclosure after a Bloomberg Businessweek report Thursday about the discovery by the company's $1.6 million malware detection tool, FireEye. The Califonia-based company, whose clients include the CIA and the Pentagon, had a team of specialists in Bangalore, India, to monitor the Minneapolis-based retailer's computers around the clock, according to Bloomberg.
"On Saturday, Nov. 30, the hackers had set their traps and had just one thing to do before starting the attack: plan the data’s escape route," Bloomberg said. "As they uploaded exfiltration malware to move stolen credit card numbers – first to staging points spread around the U.S. to cover their tracks, then into their computers in Russia – FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then … nothing happened."
The company received another alert Dec. 3, the publication said.
"With the benefit of hindsight, we are investigating whether if different judgments had been made the outcome may have been different," Target spokeswoman Molly Snyder said in a statement Thursday.
A reported 40 million payment card records were stolen from Target along with 70 million other records, including customer information.
"Not only should those alarms have been impossible to miss, they went off early enough that the hackers hadn’t begun transmitting the stolen card data out of Target’s network," Bloomberg said. "Had the company’s security team responded when it was supposed to, the theft that has since engulfed Target, touched as many as one in three American consumers, and led to an international manhunt for the hackers never would have happened at all."
Despite the outcome of the alert, a computer security expert told Reuters that it was "understandable" why Target didn't react to the alert since the company likely receives hundreds of threats per day.
"They are bombarded with alerts. They get so many that they just don't respond to everything," Cylance Inc. executive Shane Shook says. "It is completely understandable how this happened."
Black Hills Information Security owner John Strand also stood up for Target, saying it's easy to accuse the company of being incompetent given the severity of the breach.
"Target is a huge organization. They probably get hundreds of these alerts a day," Strand tells Reuters. "We can always look for someone to blame. Sometimes it just doesn't work that way."
Bloomberg says, however, because the FireEye system is so sophisticated, the number of alerts it puts out is small and the number of false-positives is small, one of the report's investigative journalists, Michael Riley, told Bloomberg TV.
Bloomberg said it had attempted to ask Target Chairman, President and Chief Executive Officer Gregg Steinhafel about why the company didn't immediately respond to the threat.
Steinhafel emailed Bloomberg a statement in return, which said in part: "Target was certified as meeting the standard for the payment card industry (PCI) in September 2013. Nonetheless, we suffered a data breach. As a result, we are conducting an end-to-end review of our people, processes and technology to understand our opportunities to improve data security and are committed to learning from this experience."
In the wake of the massive data breach, Target's chief information officer, Beth Jacob, resigned from the company earlier this month. The company also announced that it will overhaul its security management oversight team in response to the data breach.
The Associated Press says Jacob held the position since 2008 and oversaw teams in the U.S. and India.