Technology detected a malicious activity, but Target security personnel decided not to jump on it.
“With the benefit of hindsight, we are investigating whether if different judgments had been made the outcome may have been different,” company spokeswoman Molly Snyder said.
Target’s security team in Bangalore had received alerts from a FireEye Inc. security system on November 30 after the attack launched and sent them to Target headquarters in Minneapolis, according to a report by Bloomberg Businessweek.
The FireEye reports indicated malicious software had appeared in the system, according to a person whom Bloomberg Businessweek consulted on Target’s investigation but not authorized to talk on the record.
The alert from FireEye labeled the threat with the generic name “malware.binary.” Two security experts who advise organizations in responding to cyber attacks and both have experience using FireEye technology said security personnel typically don’t get excited about such generic alerts because FireEye does not provide much information about those threats.
The experts said they believed it was likely that Target’s security team received hundreds of such alerts on a daily basis, which would have made it tough to have singled out that threat as being particularly malicious.
“They are bombarded with alerts. They get so many that they just don’t respond to everything,” said Shane Shook, an executive with Cylance Inc. “It is completely understandable how this happened.”
John Strand, owner of Black Hills Information Security, said that it was easy to paint Target as being incompetent, given the severity of the breach, but that it was not fair to do so.
“Target is a huge organization. They probably get hundreds of these alerts a day,” he said. “We can always look for someone to blame. Sometimes it just doesn’t work that way.”
“Through our investigation, we learned that after these criminals entered our network, a small amount of their activity was logged and surfaced to our team. That activity was evaluated and acted upon,” Snyder said. “Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up.”
Forty million payment card records ended up stolen from the retailer, along with 70 million other records with customer information such as addresses and telephone numbers.