Target warned of hack but didn't immediately respond
By Devin Coldewey, NBC News
(NBC) - Target received warnings from its internal security system about last year's massive breach before the data was stolen, but failed to act, according to a new report from Bloomberg Businessweek. If true, this negligence could be very costly for the already-battered retailer.
According to the report, a recently installed digital security system called FireEye flagged the malware uploaded by hackers as a high-priority problem on Nov. 30 — after Target's point-of-service system had been infected, but before the data had been passed on to the hackers themselves.
In fact, FireEye could have deleted the malware automatically, but that option was turned off — though that is a normal setting for system admins who want to handle such things manually.
To be fair to Target, FireEye may not have been known and trusted at that point, having only started widely rolling out last May. And the departure of a Target security executive the month before the hack may also have left the department operating at less than peak efficiency.
But while a delay of a day or two while facts are checked and authorities alerted may have been understandable, Target didn't publicly acknowledge the hack until Dec. 19, a full week after it says federal investigators alerted the company.
The hack of Target's POS system, in which the credit/debit card data of 40 million people were leaked, is under continuing investigation.
Target issued the following statement Thursday to NBC News addressing the Bloomberg article:
"Through our investigation, we learned that after these criminals entered our network, a small amount of their activity was logged and surfaced to our team. That activity was evaluated and acted upon. Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up. With the benefit of hindsight, we are investigating whether if different judgments had been made the outcome may have been different."
The company did not respond to questions about the timing of said evaluation.