Sources close to the Target retail hack investigation have information that seemingly contradicts the public stance on what Target knew and when they knew it, in addition to a host of other details.  The Target compromise alone has affected up to 110 million consumers and over the weekend, the numbers of affected consumers in the marketplace has likely increased based on the news of other breaches reported at Neiman Marcus retail locations and at three other unnamed but well-known retailers during the same holiday shopping period. Late Sunday, a statement from Target CEO Gregg Steinhafel admitted for the first time that the compromise involved malware at their point of sale systems. In the full interview on CNBC’s Monday Squawkbox program, Steinhafel struck an apologetic tone, accepting responsibility for the incident and reassuring customers that the company would win their trust back. Under questioning from host Becky Quick, Steinhafel described a specific 4-day timeline starting on Dec 15, 2013 –a chain of events as they unfolded and the admission that a ‘blogger’ (Brian Krebs) had accelerated the public disclosure that a breach had taken place, adding that at that point in time they were ready to go public anyway.

This new timeline adds a different layer to the thus far publicized information. Details are still somewhat fuzzy, but the report starts with the initial detection of a spike in traffic containing credit information, apparently in the clear and not encrypted.  Information lost in the breach obviously escaped the environment somehow, through some egress, and it is unfathomable that the perimeter security would not have some sort of Data Loss Prevention (DLP) system in place that would have detected this activity, especially given the type of data and volume of data that was lost.

IBM’s Watson gets to work – ten days lost?

According to this account, that anomalous detection actually happened and Target was notified immediately. From there, Target reacted quickly, even bringing in IBM’s services to help find what was going on. IBM’s groundbreaking Watson intelligence services was reportedly deployed into the environment, most likely analyzing information trails to try and discover all that it could. Details on what that may have uncovered are likely confidential, but according to the account, the plug was pulled after ten days of analysis as costs were mounting daily but possibly because an ultimate result was determined. The division of IBM that lines up most with this series of events is IBM’s Business Continuity and Resilience Services, which offers Watson integration in order to scan for vulnerabilities and weaknesses. That is where the alternative timeline ends, right about December 15th when the public timeline kicks off.

This version of events will bring into question when the awareness reached a level that was undeniably something that fell on Target. Consider however this timeline of events would represent an initial triage and investigation, meaning it doesn’t necessarily say that Target was able to isolate the issue to their systems any earlier than Dec 15th.  Incidents of varying severities actually happen quite regularly, so it is warranted and expected that Target would diligently execute investigations before making a determination that something was truly amiss. During a shopping holiday, there are likely to be a number of projects and systems that may have been put into production under the wire, in addition to the incredible volume of transactions from the retail season, so there’s a lot to keep abreast of.

Whose Point of Sale systems?

The scope of attacks across multiple retailers brings up some real big questions though. Who launched this attack?  While Eastern European ‘suspicion’ has been thrown out there in some reports for good historical reasons, it is important to keep all possibilities open as the investigation unfolds.  That’s the key and somehow if indeed it is all related, there will be a common factor. What could possibly be in common to all five retailers? A third-party provider of some type? A payment processor? How about the Point of Sale equipment? POS systems are a very interesting element to all of this. As mentioned when this story first broke, Target had recently updated its POS systems. I shop(ped) there, so I know.  There are a handful of large scale POS systems, and we have not yet confirmed which systems may have been in place. IBM, NCR, Fujitsu are some of the major names in the business. Initial research shows that Target’s vendor of choice in this are historically has been Fujitsu, a POS business line that ties back to the 2002 acquisition of International Computers Limited or ICL. Many of these POS systems (an unfortunate anocrym given the matter) are based on specialized versions of Microsoft’s Windows operating systems. They are typically administered through a centralized image system, which are distributed and published or ‘flashed’ over to the terminals in the environment.

Someone blessed these POS terminals

Going down the rabbit hole a bit here, if the POS systems are indeed a commonality between retailers, then that image is the most likely vector for this breach where the malware wasn’t loaded one by one, but distributed to what amounts to thousands if not millions of POS terminals. Best practices would include a thorough security scan before release to production with a product like Nessus or Qualys against a baseline of software, known build parameters and bit inventory to ensure security and integrity. Somehow that compromised image was built, certified and deployed – and that would be a very big problem. If that’s the case, then the crux of the culpability shifts drastically. Surely, Target and other retailers place a level of trust in whichever POS provider they use that these images are secure.  Still this happened somehow.  The question of potential financial penalties and liability could turn in this case to the POS provider.  Again, there is a lot that will come out still as this all unfolds as there are ongoing investigations happening all around.

We’ve reached out to IBM, Target, and Fujitsu for further comments. Thus far, there is little news still from the four other retailers and Target will likely continue to play things as carefully as possible in the ongoing investigation.  Speculation can be expected in the wild with little publicized information available, but details are starting to come together.  Whether or not this alternate undisclosed chain of events is completely accurate, the ramifications to Target’s operations will not be clear for some time to come.  Until then you can count on a good deal of forensic research happening, towards the eventual goal of determining the perpetrator(s) of this crime and potentially focusing that investigation towards third party providers that may have had access to all five of the known affected retailers.  Everything that is known may not come out in public until/if charges are brought up against the responsible parties or the matter ends up in court cases for years to come.  One last point, Steinhafel was questioned in the CNBC interview on how the US payment system could be made better, which he responded to with a renewed call for widespread adoption of the EMV chip-based card payment system that is used in Europe. It is not clear that such a technology would have prevented this breach, but it is notable that this event would mark such a call to adopt a new technology.

photo credit: rocor &Franco Folini& via photopincc