back to article Target IGNORED hacker alarms as crooks took 40m credit cards – claim

Staff at US chain Target reportedly failed to stop the theft of 40 million credit card records despite an escalating series of alarms from the company's computer security systems. Bloomberg Businessweek claims that security technology from FireEye detected the malware-powered hack – but Target staff failed to act on the alerts, …

COMMENTS

This topic is closed for new posts.

Page:

"The supermarket employed a team of security specialists in Bangalore tasked with monitoring its computers around the clock."

... and there is, ladies and gents, what you get for "outsourcing" something as critical as IT Security.

59
5
Bronze badge

"The supermarket employed a team of security specialists in Bangalore tasked with monitoring its computers around the clock."

Well.

5
2
Silver badge

I was just about to post that myself.

I wonder if it would have made any difference if their security team had paid attention to the alerts because it sounds like senior management have a head in sand policy. I hope some government regulator gives them such a good reaming over this that the CEO can't sit down for a month.

9
0

Do you have any idea how many other fortune 500 companies outsource their IT security operations and they are operating just fine ?

While you just simply posted some dumb*ss comment about outsourcing, you didnt get the critical fact that, the alert was already sent from the Banglore location, and was just simply ignored by the "big heads" in the US HQ.

No wonder, the IT security was outsourced ...

6
12
Silver badge

Re: what you get for "outsourcing" something as critical as IT Security.

Except that if you read the linked article you'll find that it was the Target directly employed security team that dropped the ball. The outsourced service was on the ball and sent the alerts to the Target Team who promptly ignored them.

Given that the malicious payload is alleged to have had a filename similar to a Dell management component, it's entirely possible the directly employed Target Team, overflowing with your attitude, went, "Idiots have no idea what they're monitoring. That's one of our management components, whitelist it."

Given my time in the trenches, I'm not sure an insourced monitoring team would have gotten through any better than the outsourced team.

13
2
Silver badge
Linux

Meh. Meh I say.

This was a retailer during the holiday rush. This typically involves a change freeze that starts a number of months earlier. You're not going to see much of anything new going on in IT at a retailer once summer ends.

Mucking around with anything will likely require more authority than your typical boffin has.

Just imagine going to your PHB and announcing to him that you've got to go all Andromeda Strain with your point of sale systems right before Xmas.

8
1

Can't blame them, they were probably working in a call center at the same time. There is only so much they can do at the same time, bless their white cotton smocks and sandals.

1
2
Bronze badge

Traget, you have one on your back, and you seem to be oblivious to it.

"The supermarket employed a team of security specialists in Bangalore tasked with monitoring its computers around the clock."

First, beaten to the punch.

Second, that what you get for outsourcing....

Third, damagement strikes AGAIN!!!! Didn't these dumb fucks get the message from the RBS fuckup - "Don't outsource critical functions to third parties" But, bonuses all around for ...

It's a Good Thing I don't shop there!!!!

1
2
Silver badge

Re: what you get for "outsourcing" something as critical as IT Security.

Given my time in the trenches, I'm not sure an insourced monitoring team would have gotten through any better than the outsourced team.

An insourced team in the same building as the senior people does at least have the ability to go bang on desks in person and look the management in the eye. However,they'd probably be stuck in some other office, and wouldn't have that advantage.

0
0
Anonymous Coward

Re: Meh. Meh I say.

"...a change freeze that starts a number of months earlier."

Quite. And management often believe that if they apply strict change management, nothing bad can ever happen.

When facing a new style of attack using DNS on our obsolete firewalls, the big boss asked who had authorised the change (in the type of attacks). She seemed confused when told that the hackers had not submitted a change request. The upside was that our requests to replace all the obsolete kit and have properly designed, configured and managed network finally made sense to management.

0
0
Bronze badge

Re: what you get for "outsourcing" something as critical as IT Security.

Insource or outsource, if the same people who designed and built it administrated it and monitored it for intrusions, I think it would have been caught and fixed much sooner.

Essentially, you give one organization responsibility to perform a function and leave the details to them. It doesn't matter if they use a DBMS or an office building full of elves and filing cabinets. As long as they keep it running to spec, who cares?

1
0
Bronze badge

"I hope some government regulator gives them such a good reaming over this that the CEO can't sit down for a month."

Any regulatory reaming will be secondary to the crater generating reaming the civil legal action from customers whose data was compromised will be.

0
0

Offshore monitoring operation normal

The Bangalore monitoring team sounds like pretty standard industry practice. Likely, Target contracted for a Security Operations Center to be set up and staffed offshore (India in this case). The Reuters story reported that the Bangalore team forwarded the alerts directly to Target headquarters (no doubt compliant with their SLA). The personnel in Minneapolis were the ones who overlooked the significance of these particular alerts (for the reason stated in the Reuters and The Registers reports).

11
0
Anonymous Coward

Re: Offshore monitoring operation normal

"The Reuters story reported that the Bangalore team forwarded the alerts directly to Target headquarters. The personnel in Minneapolis were the ones who overlooked the significance."...

...Understated but key point, . The outsourcing wasn't the issue here, but it did bring about a breakdown in communication, presumably because there was no one to follow it up back home... or the message was misunderstood.

This case should be studied ala Air Crash Investigation, with other corporates taking note. Wow, hacking has become so pervasive, all the doomsayers were right, and things aren't improving either! At the rate we're going, where will we be in 10 years? 20 years? The NSA and 5-Eyes should be focusing their clout tracking down these guys, not dragnet spying on the masses!

4
0
FAIL

Bosses

As long as the guys in charge don't want to hear what they don't want to hear, this is the sort of thing that will happen. There are none so blind as those who will not see; none so deaf as those who will not hear.

16
0
Silver badge
Unhappy

Re: Bosses

Ah the eternal mystery of life: why ARE the dumbasses in charge?

0
0
Bronze badge
Facepalm

Offshoring...Oh Joy...

Having literally just spent the last hour patiently explaining the basics of generating certificates and applying them to a site in IIS to a "colleague" who is a "qualified" windows "system administrator" in Bangalore, you can guess how surprised I am by this story...

14
6
Bronze badge
FAIL

Re: Offshoring...Oh Joy...

I was going to be one of those quoting the bangalore bit, but the later posts got it right. Sounds like it was the guys back home not listening rather than the ones out there not calling.

8
0
Silver badge

Re: Offshoring...Oh Joy...

Not listening? Or not understanding. I've had phone conversations with support based in Idian for quite a few products over the last 20 years. I've found that some of them, while claiming to speak English, have never seen a US (or UK) pronouciation guide. Their grammar might be absolutely correct, but understanding the actual words is sometimes impossible.

I had a call yesterday with tech support for a very good, useful product and I'm going to have to wait for the email report because I don't know what they guy was saying.

I used to have this problem with Cisco and RSA support until I realized that I could get some sleep while waiting for their Australian call centers to take over from India.

12
5
Silver badge

Re: Offshoring...Oh Joy...

The reports were sent by email. Not sure if phone calls were made, I assume that happened as well. And there was at least a couple day lag between the first event and the second event. Reports are even if they had acted after the second event they would have stopped the exfiltration of the captured data.

I'd prefer insourced teams myself. But the kind of crap that happened at Target is one of the bullet points the outsourcers use against us.

4
0
Bronze badge

Re: Offshoring...Oh Joy...

Err no. Not this sort of circumstance. Whatever the level of English of the outsourced staff the context is one in which a very limited range of language would be required, very context specific. Which is also why air crew and air traffic control the world round can communicate. They might not be able to to discuss politics or films, but they can understand "There's a plane coming towards you!"

2
0
Bronze badge

someone (or several someones) at Target's HQ should be fired

Unfortunately, it probably WON'T be the most correct person, who is probably far enough up the corporate ladder to be "protected" from such disciplinary measures. Some poor middle manager who did his job and passed the warnings up the food chain will wind up taking the fall "for inadequately identifying the potential danger" or similar BS. And the REAL problem will remain unsolved.

12
0

Re: someone (or several someones) at Target's HQ should be fired

The CIO was just fired this month. Sure, she "resigned". And Crimea will "vote" to join Russia.

9
1
Anonymous Coward

Re: someone (or several someones) at Target's HQ should be fired

At least get your politics correct.

Crimea want to secede to Russia. It is what the majority of people living there want (or at least will be voting for). It is the rest of the Ukraine that is saying they can not. Think UK/Northern Ireland/Eire instead of Ukraine/Crimea/Russia.

2
11
Silver badge

Re: someone (or several someones) at Target's HQ should be fired

And if IIRC, the top security post had been vacant at the time of the incident while they conducted the usual corporate search for a new one.

0
0
Anonymous Coward

Re: someone (or several someones) at Target's HQ should be fired

At least get your history correct.

Crimea is only majority pro-Russia as Stalin deported/killed most of the locals (Tatars) after the second world war and then actively "encouraged' Russian emigration to Crimea.

4
1
Silver badge
Mushroom

Re: someone (or several someones) at Target's HQ should be fired

> Crimea want to secede to Russia. It is what the majority of people living there want

Yeah. Like you're such an authority on what a bunch of people in a different country across the continent want.

The whole situation is fishy. Hooligans are running amok. The Russian army is running amok. Enough nonsense is going on that you can't trust a thing that's going on right now. It doesn't help that their parliment was overrun by hooligans.

4
1
Silver badge
Linux

Re: someone (or several someones) at Target's HQ should be fired

It's not even "pro russian" versus "not pro russian". It's ETHNIC russian. It's about what country are your grandparents from. That's an issue entirely orthogonal from what particular political option you are for or against.

Even if you conflate the two, you still have the problem of a very large ethnic minority (or a group of them). It is likely not as simple as some people like to make it out.

1
0
T-C

Re: someone (or several someones) at Target's HQ should be fired

Totally off-topic but I believe the majority of the people in Northern Ireland want to stay part of the UK so Ukraine/Crimea/Russia isn't the same as Think UK/Northern Ireland/Eire.

2
0
Silver badge

Minor correction

Unless it's an artifact of differing dialects between the US and UK, Target is a department store, not a supermarket. In the US a 'supermarket' is usually a store that primarily sells foodstuffs. While Target does have a little food it's far from their primary product.

4
0
Silver badge
Happy

Re: Minor correction

In this case, Target is a target.

2
0

Re: Minor correction

Target isn't really a supermarket in any dialect, but it's also not really a department store, at least in British English. Department stores like John Lewis and Debenhams are relatively classy places. Target is a big shopping shed with a product range something like a combination of Tesco, Currys, Argos and Primark.

4
0
GBE

Re: Minor correction

" Target isn't really a supermarket in any dialect, but it's also not really a department store, at least in British English."

The same is true in USian English. Target's ex-parent-company Dayton's started out with department stores. The Dayton's stores werw sold off, and after a series of acquisitions the Dayton's stores now say Macy's on them. At least in the US, Target is usually referred to as a "discount general merchandiser" or something equally awkward.

2
0

Re: Minor correction

Think of Target as equivalent to Walmart - except with a smaller selection of the same cheap merchandise, and most of it priced 30% to 60% higher than Walmart. Amazing what a slick advertising campaign can do.

0
1
Silver badge

Re: Minor correction

It's a department store. It has departments. It's just not as prissy as Herods of London.

0
0
Silver badge

Re: Minor correction

Think of Target as equivalent to Walmart - except with a smaller selection of the same cheap merchandise, and most of it priced 30% to 60% higher than Walmart.

Actually Target generally carries slightly higher end brands than Wal-Mart. Which is not to say it's high quality stuff by any means -- it's not hard to get higher end than the rock bottom garbage Wal-Mart sells. A bit of anecdotal evidence from my experience: the last pair of work khakis I bought from Wal-Mart, at $25, lasted about 4 months before they deteriorated to the point that I was embarrassed to be seen in public in them. The last pair I bought at Target, for $40, have lasted me 2 years so far and show no signs of wearing out any time soon. Where there is direct crossover between the two the prices are comparable, at least for my local stores.

3
0

Re: Minor correction

Really if you want to be totally accurate, it's were the slightly more affluent white trash go shopping.

0
1
Bronze badge

Re: Minor correction

In other words ASDA.

0
0
Silver badge

Re: Minor correction

Really if you want to be totally accurate, it's were the slightly more affluent white trash go shopping.

Not really. If you want to buy things like cookware or soap or bed sheets or coffee makers in a lot of areas in the US your choices are Wal-Mart, Dollar General, or Target. There's simply nowhere else in town to get these sorts of things and Target is the best choice of the three by far. Unless, of course, you abandon brick and mortar stores entirely and order everything online.

2
0

Re: Minor correction

> a combination of Tesco, Currys, Argos and Primark.

So like Tesco then?

0
0
Bronze badge
Paris Hilton

Re: Minor correction - @Jediah another 'minor' correction

Think you will find Herods were kings in ancient Judea (four of them) and don't have a department store in London!

There is however a Harrod's department store in the west end of London which sells some fine (if overpriced) merchandise.

Given the biblical nature of your name I am surprised at you confusing ancient Jerusalem and modern London.

0
0
Silver badge

Re: Minor correction

If they treat their staff better than Walmart then it's worth paying a bit more, especially if the alternative is to shop at Walmart.

2
0
Silver badge

Re: Minor correction

If they treat their staff better than Walmart then it's worth paying a bit more, especially if the alternative is to shop at Walmart.

It'd be hard not to, wouldn't it?

1
0
Silver badge

Re: Minor correction

At least in the US, Target is usually referred to as a "discount general merchandiser" or something equally awkward.

Agreed. "Discount retailer" is the term I think I see most often. Sometimes "upscale discount retailer" to distinguish it from Walmart and the like, as Target, er, targets a somewhat wealthier consumer. (Target's stores are less crowded and more lavishly decorated than Walmart's, and they carry more designer-branded merchandise.)

Of course, being Of A Certain Age, for me Target will always be "the store where Jennifer Connelly rode a rocking horse". Ah, youth.

1
0
Bronze badge

Perhaps this was a head in the sand moment

On the other hand if the security software was chucking out millions of false alerts it's not surprising if the one correct one was ignored.

An employee raising concerns which were apparently ignored sounds bad but if the employee in question was always spouting off about one thing or another or if they were in a blame culture which meant that people always "expressed concerns over security" in order to cover their backsides then I can see how it would be ignored.

Of course it could just be that they screwed up :-)

3
0

Re: Perhaps this was a head in the sand moment

If your security software is chucking out millions of false alerts, it is probably time to ditch it and find one that works. If you just ignore all the alerts, you might as well not have security software at all.

7
0
Anonymous Coward

Re: Perhaps this was a head in the sand moment

re: Cubical Drone

I think you're incorrect, but it depends on what you call a 'false alert'

The problems arise when you try to add security after the fact. If the security device/appliance/etc is in place before the applications are designed, written and deployed, there won't be any reason to dismiss alerts "because that's how its supposed to work."

If you use 16-digit numbers for transaction IDs, some of them are going to be flagged as credit card numbers, and you can't tell the device "don't scan the transactionID field' because then you have a nicely-defined hole that will never be inspected.

0
2
Anonymous Coward

Re: Perhaps this was a head in the sand moment

It really wouldn't surprise me if that was the case, some of our high quality, lowest bidder, outsourced to india, code throws errors non stop as part of its "normal" operation.

ie you could have up to 4 customers on an account, so lets just fire off 4 'get customer detail' requests, with 3 of them unpopulated for the 99.9% of cases that have just 1 customer. These all generate http 500 errors along with xml parsing errors due to shoddy error handling, for an unpopulated request.

You might be surprised to hear, we suppress alerts on http500, and XML parsing, errors as the devs consider it to be "working as designed" and won't fix it.

1
1
wub

Re: Perhaps this was a head in the sand moment

Agreed.

Try this at your next meeting:

"Please raise your hand if you have ever heard a car alarm. OK, now, keep your hand up if you have heard an alarm when a car was broken into or stolen, otherwise put them down."

They'll all have their hands down at this point.

2
0
Silver badge

Re: Perhaps this was a head in the sand moment

Given FireEye is reported to have a graded alert system, I expect there is built-in triage to filter out noise.

I won't rule out a Too Much Information problem, but to the extent it exists, it was likely a management failure on the Target side. Yeah, I've worked in such environments.

2
0

Page:

This topic is closed for new posts.

Forums