updated 10:58 am EDT, Thu March 13, 2014
Malware identified before it sent any customer data outside Target
Reports are circulating that Target knew of its "Black Friday" data breach much earlier than it said it did. Allegedly, the company was alerted by security firm FireEye that there was a potential problem as early as November 30, but no action was taken. Additionally, auditors discovered that Target had disabled features of its security suite that could have removed the infection, prior to it purloining millions of sets of customer's payment method data.
Potentially at risk from the intrusion between November 29 and December 15, 2013 are "millions" of customer records, including credit and debit card information. The malware installed into the Target point of sale system affected "nearly all" US Target retail stores, but not the online store.
A report at Businessweek claims that India-based researchers found evidence of the breach after examining logs, and informed Target headquarters on November 30. Additional malware was discovered by the company's own sercurity software on December 2. A series of alarms was issued by the software with a highest-priority warning associated, all of which were ignored by Target security personnel.
Compounding the problem, the software's automatic malware-removal features had been disabled by Target security in the months prior to the intrusion. The malware installation was detected so early, that it had not begun to transmit its payload -- customer data -- back to its creators. Timely action by Target's security staff in pruning the malware would have prevented the entire incident from happening, and would have saved Target millions in corrective actions, the researchers say.
When confronted with the security alerts being made and ignored, Target Chief Executive Gregg Steinhafel said that "Target was certified as meeting the standard for the payment card industry (PCI) in September 2013. Nonetheless, we suffered a data breach." He concluded his brief statement by declaring that "the investigation is not complete" and noted that "we don't believe it's constructive to engage in speculation without the benefit of the final analysis."