ROBERT SIEGEL, HOST:
This is ALL THINGS CONSIDERED from NPR News. I'm Robert Siegel.
MELISSA BLOCK, HOST:
And I'm Melissa Block.
The retail giant Target is still reeling from a massive breach of its payment systems during last year's holiday shopping season. Hackers stole 40 million credit and debit card numbers, and tens of millions of other pieces of personal information - addresses, phone numbers and more. The company faces more than 90 lawsuits and has already spent tens of millions of dollars dealing with the fallout from the breach.
And now, a Bloomberg Businessweek story, out today, contends that Target itself could have prevented the attack. Mike Riley is co-author of that story, and he joins me here in our studios. Welcome to the program.
MIKE RILEY: Thanks very much.
BLOCK: And let's go back and explain. You found out that six months prior to the attack, Target had installed a very sophisticated malware detection system called FireEye, which actually worked exactly as it was intended to work. Tell us a bit about the system and what happened with it.
RILEY: Yeah. Security systems are changing, and this is one of the sort of cutting-edge, really, sort of behavior-based ones. The interesting thing about it, it was initially funded by the CIA. What it does is, it essentially sets up a series of virtual computers. Anything that's coming in Target's network, in terms of data, goes through these virtual computers, which are - configure exactly like Target's own computers.
So essentially, what does is, it tricks the hackers into believing that they are in Target's networks. It also has this nice trick where it can advance the clock of a computer. So when malware comes into a network, it can actually see what happens to the malware - over a period of days, weeks or even years - in a split second. Once that starts to happen, it sends out an alert that says hey, there's a piece of hacking malware in your system; you should go fix it.
BLOCK: And that's what happened here. This detection system did exactly that - right? - told Target, something bad is going on here.
RILEY: That's right. That part of the function worked. So on Nov. 30th - and keep in mind, this is before any of the data leaves Target's network - the alerts begin to go off. And for some reason that's not clear, Target didn't act on it in time.
BLOCK: So these malware detection alerts are coming in Nov. 30th, Dec. 2nd. Target says they weren't alerted about the breach until Dec. 12th, by federal authorities. They don't tell consumers until Dec. 19th. Why the delay?
RILEY: That's right. Well, whatever was going on inside Target's security team, they didn't recognize this as a serious breach. There was no serious investigation that went on. They didn't go to the server itself to figure out what the malware was doing. What they've said publicly is that they didn't know anything about the hack until the U.S. attorney and the Secret Service knocked on their door on Dec. 12th and said, you've got a problem. And it takes them about three days to figure out that all this malware is not just on that one server but on every single - or many, many POS systems through the entire store network in the United States.
BLOCK: You write in your story, Mike, Target stood by as 40 million credit card numbers gushed out of its mainframes. You asked them for a response to your story. What did they tell you?
RILEY: You know, the response was pretty minimal. They pointed out that they are doing a complete review of the security systems that they have in place, and that they are trying to figure out how to improve those systems. At this point, it's really - the lawyers have sort of taken control of what their response can or should be.
BLOCK: It does seem that - I mean, if Target was aware of a massive breach like this, with these huge implications for them, they would have done something about it. I mean, they would have acted if they had known the seriousness of the problem.
RILEY: Yeah, no, I think that's exactly right. I don't think they knew exactly what was going on. It's one thing to sort of get an alert from a system that says you may have malware on your server. It's entirely different thing to know that 40 million credit cards are leaving your network. It's not that they sat by while they watched 40 million credit cards go out. No responsible company is going to do that. But they had all the pieces of the puzzle. If they'd simply put them together, they could have stopped this.
BLOCK: We've been focusing on the hack itself. But let's talk also about the hackers...
BLOCK: ...because you do a lot of reporting on who they are. Your research led to Ukraine and Russia, to cybergangs notorious for their successes in just these kinds of breaches. Who are these people, and why can't the U.S. go after them?
RILEY: It's a very boisterous, very well-oiled machine. And there are literally, millions and millions of credit cards that are stolen around the world every day. They have a very good system for distributing, selling, repackaging. One of the ways that it works is once the credit cards are stolen, they get posted on quarter websites. These are websites that really look like Amazon.com. They'll run anywhere from 8- to $50, depending on the quality of the cards, things like the credit limit. And then you'll pop them into an electronic basket, just like Amazon, and check out.
It's a fascinating world to look in. It's just fascinating to see how efficient this is. On some level, these guys have found the perfect crime. You can sit and hack a major Fortune 500 company from your couch in Ukraine. You can steal data that has value. You can sell that value on an automated website. You can make money from it. And you're really not at much risk.
BLOCK: Mike Riley, reporter for Bloomberg Businessweek, thanks for coming in.
RILEY: You're welcome.
BLOCK: Mike is the co-author of the cover story "Easy Target." It's online today and hits newsstands tomorrow.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.