It was, in essence, a cybercriminal’s dream.
For months, an amorphous group of Eastern European hackers had been poking around the networks of major U.S. retailers, searching for loose portals that would take them deep into corporate systems.
In early November, before the Christmas shopping season began, the hackers found what they had been looking for - a wide path into Target and beyond.
Entering through a digital gateway, the criminals discovered that Target’s systems were astonishingly open - lacking the virtual walls and motion detectors found in secure networks like those of many banks. Without those safeguards, the thieves moved swiftly into the company’s computer servers containing Target’s customer data and to the crown jewel: the in-store systems where consumers swipe credit and debit cards and enter PINs.
For weeks, the invasion went undetected; the malware installed by hackers escaped whatever anti-virus protections Target had. Shoppers flooded Target stores during Thanksgiving weekend and into the next weeks of holiday deals, unwittingly sending millions of bits of their data into the corners of cyberspace controlled by a band of sophisticated thieves.
Target had no clue until the Secret Service alerted the company about two weeks before Christmas. Investigators who had been tracking these criminals overseas and monitoring suspicious credit activity spotted in December one common thread: charges and payments made at Target.
At least one major bank noticed a similar pattern. On Dec. 12, JPMorgan Chase alerted some credit-card companies that fraudulent charges were showing up on cards used at Target, people involved in the conversation said.
An examination by The New York Times into the enormous data theft, including interviews with people knowledgeable about the investigation, cybersecurity and credit experts and consumers, shows that Target’s system was particularly vulnerable to attack. It was remarkably open, experts said, which enabled hackers to wander from system to system, scooping up batches of information.
Investigators have been piecing together the timetable of the attack and continue to monitor the potential for additional fraud, especially because experts say that batches of stolen credit-card data have yet to be dumped on the black market.
The theft involved confidential credit- and debit-card data of as many as 40 million Target customers, and personal information, such as phone numbers and addresses, of as many as 70 million more.
With Secret Service agents in Minneapolis investigating the extent of the fraud, Javelin Strategy & Research, a consulting firm, estimates the total damage to banks and retailers could exceed $18 billion.
Consumers could be liable for more than $4 billion in uncovered losses and other costs. Investigators also say they think the invasive hack at Target was part of a broader campaign targeting at least half a dozen major retailers. So far, one other retailer, Neiman Marcus, has said that its system was breached at the in-store level, not through online shopping, and people with knowledge of the investigations have been reluctant to discuss whether the two are related.
Investigators in recent years have seen some malicious software similar to that installed at Target, but they described the design of this malware on point-of-sale systems as particularly wily.
Once installed, the hackers’ malware snatched customers’ data - directly off the magnetic strips of credit and debit cards - that is normally sent for processing to banks and credit-card companies. The stolen information was then lifted and stored on an infected server inside Target, awaiting an order from the criminals.
The coding was easily manipulated so it could receive instructions from its handlers in real-time, changing at their command.
Gregg Steinhafel, Target’s chief executive, declined to be interviewed for this article, and requests for interviews with other company officials involved in the theft investigation were denied. On Friday evening, Steinhafel released a statement, saying: “When the breach was confirmed, I was devastated. I resolved in that moment to get to the bottom of it, and my top priority since then has been our guests. We’ve worked for 51 years to build a real relationship with them, and I am determined to do whatever it takes to secure their trust.”
Steinhafel said in an interview with CNBC last week that he first learned of the data break-in when he received a phone call at home Dec. 15. Secret Service and Justice Department officials had already met with Target employees a few days earlier to notify them of their suspicions.
By then, credit and debit cards were showing up on the black market, and shoppers were seeing unauthorized charges on their bills.
It was not the first time criminals had managed to get inside a store’s point-of-sale systems at their registers.
But recently, criminals’ techniques have evolved. At the FBI, a former official said there had been instances where criminals had managed to physically implant malicious code into point-of-sale systems on the factory floor. In most cases, however, criminals installed the malware remotely after breaking into an organization through other means.
This time, the code the criminals used instructed Target’s registers to send customer data back to the infected Target server once every hour, on the hour, and to cover its own tracks. After siphoning the data back to the infected server, the malicious code immediately deleted the file where it had been stored, so there was no memory of it, according to iSight Partners, a security firm working with the Secret Service to investigate the attacks.
Within two weeks, criminals had taken 11 gigabytes worth of Target’s customer data, including 40 million payment-card records, encrypted PINs and 70 million records containing Target customers’ information.
Shortly after, company executives flocked to headquarters and onto conference-call lines to begin coordinating the response.
Forensics experts were brought in from Verizon, led by Bryan Sartin, and from Mandiant, a computer-security firm that responds to breaches, extortion attacks and economic espionage campaigns. They began digging through Target’s firewall logs, Web-traffic logs and emails, looking for digital fingerprints and trying to determine how the criminals got in, what they took and how to stop the bleeding.
Investigators went about plugging Target’s security holes, wiping malware from the company’s point-of-sales systems and changing passwords. It was important to do everything at once.
Others in the company started planning just how, and when, to disclose the news to the public. Then, they set about trying to determine the scope of the breach, so they could notify affected customers, determine liability and get ahead of the news cycle.
On the morning of Dec. 18, voice messages started popping up on Target’s public-affairs line from Brian Krebs, a prominent security blogger. Krebs, 41, who specializes in cybercrime, was asking about a big data breach.
In underground forums, criminals had been bragging that they had obtained a huge, very fresh batch of cards. And banks were dealing with a spike of fraudulent purchases.
Krebs said in an interview that one contact at a large bank he would not name said he had visited one of the more reliable underground credit-card sites - a site called Rescator - and bought a large batch of cards.
The common point of purchase was Target, and all the purchases had been made between Thanksgiving and mid-December. After further investigation, Krebs began leaving messages with the company for comment.
Officials said the company’s plan was always to go public quickly. By the time Krebs’ story was posted, a news release had already been written and the portion of Target’s website devoted to the breach was already being built. The company decided not to immediately make a public comment or issue a news release. Instead, Target officials waited until the website was ready and everyone who would be answering questions would have the same answers on hand. A team of people worked all night to have the response ready.
On Dec. 19, the team on the front lines of the response arrived at headquarters, and before the sun was up, the release was sent out.
Customers jammed the company’s website and phone lines and continue to be angered by the violation of their privacy.
Nearly 70 lawsuits have already been filed against Target, many of them seeking class-action status. Credit-card companies and banks have replaced many customers’ cards and accounts in the wake of the breach but warn that people should still vigilantly scrutinize their statements and account charges.
Outside the corporation, attorneys general in several states and federal authorities also are investigating Target’s data breach.
But it appears that the hackers left a few clues behind that may aid investigators. One was a small word embedded in the code: Rescator.
Despite the sophistication of the malware, this was, by several accounts, a rookie mistake. The name was left there when the criminals were debugging their code.
It was the same name of the underground card site, Rescator.la, where a bank official had first purchased cards before tipping off Krebs, he said.
Krebs scoured the Web for clues to Rescator’s identity. In a deleted comment from August 2011, he noted that Rescator introduced himself as “Hel,” one of the three founders of a defunct hacker forum called darklife. ws. Krebs posted some of the information he learned about aliases that may be related to Rescator, tracing one of them to Odessa, Ukraine.
But investigators have not publicly pinpointed the location of the criminals’ nerve center, suggesting instead that the hackers tend to move around, gather, disband and regroup.
Meanwhile, security firm IntelCrawler said Friday that it has identified a Russian teenager as the author of the malware probably used in the cyberattacks against Target and Neiman Marcus, and that it expects more retailers to acknowledge that their systems were breached.
In a report posted online, the Sherman Oaks, Calif., company said the author of the malware used in the attacks has sold more than 60 versions of the software to cybercriminals in eastern Europe and in other countries.
The firm said the 17-year old has roots in St. Petersburg. He reportedly has a reputation as a “very wellknown” programmer in underground marketplaces for malicious code, according to the report.
The company said the teenager did not perpetrate the attacks, but that he wrote the malicious programs - software known as Black-POS - used to infect the sales systems at Target and Neiman Marcus. Andrew Komarov, the chief executive of IntelCrawler, said the attackers who bought the software entered retailers’ systems by trying several easy passwords to access the registers remotely.
He added that there do not appear to be many restrictions on who has access to the remote point-of-sale servers in numerous companies. This, he said, could enable hackers to gain access to a prime target: back-office servers where criminals can pick up pools of data from multiple stores.
Target declined to comment on the report. Neiman Marcus spokesman Ginger Reeder said she has heard no claim about weak passwords from anyone with direct knowledge of the retailers’ system.
Komarov first identified the software last March and reported it to Symantec and other security firms. Before both breaches, IntelCrawler said in its post, the company detected attempted attacks on point-of-sale terminals across the United States, Australia and Canada.
That indicates that more companies, specifically retailers, are likely to discover attacks on their systems in the near future, company executives said. The firm has identified six additional breaches at other retailers of various sizes across the country, Komarov said. He did not identify those retailers.
Information for this article was contributed by Elizabeth A. Harris, Nicole Perlroth, Nathaniel Popper, Hilary Stout and Matt Apuzzo of The New York Times and by Hayley Tsukayama of The Washington Post.
Front Section, Pages 1 on 01/19/2014