Target has acknowledged that its computer security system had alerted it to suspicious activity after hackers infiltrated its network last year, but the company ultimately decided to ignore it, allowing what would become one of the largest data breaches ever recorded to proceed without a hitch.
“With the benefit of hindsight, we are investigating whether, if different judgments had been made, the outcome may have been different,” Molly Snyder, a spokeswoman for Target, said in a statement Thursday.
Before the attack, Target installed security software designed by FireEye, a security firm based in Milpitas, Calif., according to two researchers who spoke on the condition of anonymity, citing client confidentiality.
FireEye’s software, as it turns out, worked as designed. It isolates incoming Web traffic and looks for suspicious activity. In Target’s case, the software sounded multiple alarms as criminals uploaded tools to siphon out customers’ credit and personal data.
“Like any large company, each week at Target there are a vast number of technical events that take place and are logged,” Snyder said. “Through our investigation, we learned that after these criminals entered our network, a small amount of their activity was logged and surfaced to our team. That activity was evaluated and acted upon.
“Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow-up,” she said.
On Dec. 19, in the final days of the holiday shopping season, Target confirmed publicly that credit and debit card information for 40 million of its customers had been compromised. A few weeks later, the company said an additional trove of personal information, like email and mailing addresses, from some 70 million people had been exposed as well.
The company has said that when the news became public, its traffic and sales took an immediate and substantive hit, from which it has yet to fully recover. The company spent $61 million related to the breach in the fourth quarter.
The security alerts were first reported by Bloomberg Businessweek.
Since the data theft at Target became public, several other retailers have acknowledged breaches of their own, including Neiman Marcus and the arts and crafts store Michaels. Those two breaches are believed to have come from the same Eastern European group that attacked Target. It may have attacked as many as six other retailers.