A Minnesota judge has ordered to unseal a 55-page document alleging that in the months leading up to Target’s massive data breach in late 2013, the retailer repeatedly missed warnings about malware intrusions, kept unencrypted payment card information on its servers and postponed taking action on breach alerts in order to avoid interrupting Cyber Monday.
The document, filed by attorneys representing five financial institutions that are suing Target over the breach, is associated with a motion asking the court to give the case class action status.
In it are allegations that the retailer made three decisions that allowed the breach, which compromised tens of millions of credit and debit cards, to occur and greatly increased its severity. First, it claimed, in October 2013, Target disabled and removed key security features by Symantec, an anti-virus provider, and kept them disabled and removed until after Black Friday. Second, Target installed a FireEye cybersecurity application but didn’t implement its malware prevention features, the document alleged. Third, the retailer allegedly didn’t fully integrate the application into its alert generating system, causing a Dec. 2, 2013, alert about malware associated with the breach to go unheeded, the document alleged.
The document also referenced testimony from a group manager in Target’s security operations center, which stated that in April 2012, the retailer discovered unencrypted payment card information dating back six or seven years on servers in almost 300 stores, but didn’t take action on it for nearly six months.
“Even worse, Target continued to retain unencrypted payment card data on its system,” it said. “Specifically, unencrypted card data dating back almost ten years was found in plain text on Target’s servers during the investigation of the breach.”
Perhaps most damning, however, is the allegation that Target implemented a “system freeze” from October 2013 to January 2014, which made it much more difficult to make changes to Target’s computer and security systems “during seasons where Target generated the most revenue,” according to the filing. The breach occurred during that time.
“Once the breach began, Target ignored warnings and alerts on November 24, 25, 26, 30 and December 2,” the document said. “Target’s own employee recognized, based on an alert, that ‘someone’s using a service account to access all the registers in one store[,]’ but Target failed to effectively respond and pushed off responding to alerts in favor of Cyber Monday.” It only reacted after it was contacted by the U.S. Secret Service on Dec. 12, 2013, it alleged.
Ultimately, the point of access was a phishing email opened by an employee at Target’s refrigeration vendor, which had direct access to the retailer’s system via its construction management software, the document said. Target hosted that software on its own system rather than a third-party server but never did a risk assessment of the vendor or required it to use a two-factor authentication system to log in, it claimed.
In a statement to CU Times, a Target spokesperson strongly denied the allegations in the document.
“Class action counsels’ allegations are not new and are drawn from old, and long disputed, assertions,” the company said. “Target rejects the arguments and characterizations. None of those allegations are currently before the court for resolution. The upcoming hearing is instead limited to whether a class should be certified in this case or not. Target has filed its opposition to class certification. As this is pending litigation, we’re not in a position to comment further.”
According to U.S. Magistrate Judge Jeffrey Keyes, Target asked the court to keep the document under wraps because it contained details that might encourage additional attacks on the retailer and create adverse publicity should the media mischaracterize the litigation. But on Aug. 13, Keyes disagreed and ordered the document made public.
The hearing on class certification is scheduled for Sept. 10.