How Target Made Itself a Target for Hackers

3 minute read

If you’ve ever used a credit card at Target — or, really, anywhere else — Businessweek’s long story on the Target data breach, by Michael Riley, Ben Elgin, Dune Lawrence and Carol Matlack, makes for chilling but rewarding reading.

Based in part on interviews with former Target employees, it says that the malware the attackers used to hack the retail chain’s point-of-sale system wasn’t all that sophisticated — and that the company’s security software detected something was amiss, and could have been set to block the attack without human intervention. But Target opted to turn off this option, and the humans in charge of protecting data didn’t intervene. (The fact that a key employee had recently left and hadn’t been replaced may not have helped.)

A few details about the heist:

Once their malware was successfully in place on Nov. 30—the data didn’t actually start moving out of Target’s network until Dec. 2—the hackers had almost two weeks to pillage credit card numbers unmolested. According to SecureWorks, the malware was designed to send data automatically to three different U.S. staging points, working only between the hours of 10 a.m. and 6 p.m. Central Standard Time. That was presumably to make sure the outbound data would be submerged in regular working-hours traffic. From there the card information went to Moscow. Seculert, an Israeli security firm, was able to analyze the hackers’ activity on one of the U.S.-based staging points, which showed them eventually taking 11 gigabytes of data stored there to a Moscow-based hosting service called vpsville.ru. Alexander Kiva, spokesman for vpsville.ru, says the company has too many clients to monitor them effectively, and that it hadn’t been contacted by U.S. investigators as of February.

If Target’s security team had followed up on the earliest FireEye alerts, it could have been right behind the hackers on their escape path. The malware had user names and passwords for the thieves’ staging servers embedded in the code, according to Jaime Blasco, a researcher for the security firm AlienVault Labs. Target security could have signed in to the servers themselves—located in Ashburn, Va., Provo, Utah, and Los Angeles—and seen the stolen data sitting there waiting for the hackers’ daily pickup. But by the time company investigators figured that out, the data were long gone.

Businessweek’s piece also delves into the likely suspects behind the breach and why stealing credit-card information and other personal data is such a rewarding business to be in. I hope this doesn’t end up being the definitive article on all this — there’s still a lot we don’t know, and Target itself isn’t really talking — but it’s a remarkable piece of reporting nonetheless.

More Must-Reads from TIME

Contact us at letters@time.com