![Target Data Breach Shoppers leave a retail Target on Thursday, Dec. 19, 2013, in Hackensack, N.J.](https://api.time.com/wp-content/uploads/2014/03/target.jpg?quality=85&w=2400)
If you’ve ever used a credit card at Target — or, really, anywhere else — Businessweek’s long story on the Target data breach, by Michael Riley, Ben Elgin, Dune Lawrence and Carol Matlack, makes for chilling but rewarding reading.
Based in part on interviews with former Target employees, it says that the malware the attackers used to hack the retail chain’s point-of-sale system wasn’t all that sophisticated — and that the company’s security software detected something was amiss, and could have been set to block the attack without human intervention. But Target opted to turn off this option, and the humans in charge of protecting data didn’t intervene. (The fact that a key employee had recently left and hadn’t been replaced may not have helped.)
A few details about the heist:
Once their malware was successfully in place on Nov. 30—the data didn’t actually start moving out of Target’s network until Dec. 2—the hackers had almost two weeks to pillage credit card numbers unmolested. According to SecureWorks, the malware was designed to send data automatically to three different U.S. staging points, working only between the hours of 10 a.m. and 6 p.m. Central Standard Time. That was presumably to make sure the outbound data would be submerged in regular working-hours traffic. From there the card information went to Moscow. Seculert, an Israeli security firm, was able to analyze the hackers’ activity on one of the U.S.-based staging points, which showed them eventually taking 11 gigabytes of data stored there to a Moscow-based hosting service called vpsville.ru. Alexander Kiva, spokesman for vpsville.ru, says the company has too many clients to monitor them effectively, and that it hadn’t been contacted by U.S. investigators as of February.
If Target’s security team had followed up on the earliest FireEye alerts, it could have been right behind the hackers on their escape path. The malware had user names and passwords for the thieves’ staging servers embedded in the code, according to Jaime Blasco, a researcher for the security firm AlienVault Labs. Target security could have signed in to the servers themselves—located in Ashburn, Va., Provo, Utah, and Los Angeles—and seen the stolen data sitting there waiting for the hackers’ daily pickup. But by the time company investigators figured that out, the data were long gone.
Businessweek’s piece also delves into the likely suspects behind the breach and why stealing credit-card information and other personal data is such a rewarding business to be in. I hope this doesn’t end up being the definitive article on all this — there’s still a lot we don’t know, and Target itself isn’t really talking — but it’s a remarkable piece of reporting nonetheless.
More Must-Reads from TIME
- Biden Drops Out of Presidential Race , Endorses Harris to Replace Him
- Why Biden Dropped Out
- The Chaos and Commotion of the RNC in Photos
- Why We All Have a Stake in Twisters’ Success
- 8 Eating Habits That Actually Improve Your Sleep
- Stop Feeling Bad About Sweating
- Welcome to the Noah Lyles Olympics
- Get Our Paris Olympics Newsletter in Your Inbox
Contact us at letters@time.com