♪ live from pier three in san francisco, welcome to "bloomberg west." we cover innovation, technology, and the future of business. i'm emily chang. after thet investigation into the massive data breach that exposed 40 million credit and debit card numbers. target security systems quickly detected the hack attack but executives did nothing. we spend the next half hour diving deep into the story, looking at what went wrong and

when, and the secret black market for credit card information and the underworld of carters who trade it. mark zuckerberg just revealed that he personally called president obama. president called the to express his frustration over the government surveillance programs, telling president obama that government surveillance is damaging the internet's future. he also writes that to keep the internet strong, we need to keep it secure. the ceo of ebay is stepping up his attack against carl icahn, who wants ebay to spin off paypal. donahoe has consulted with other icahn targets, including netflix, deferred vice on how to handle icahn. donahoe also met with institutional investors to make a pitch to paypal along with ebay. amazon is raising the price of its amazon cry membership. -- prime membership.

being sentbers are reminders about their renewal dates, and when they have to pay the higher cost. the move is expected to generate millions in additional revenue for amazon. to the inside story of that massive target data breach. we start with a look back at the timeline of events that led to the data theft that touch as many as one in three american consumers. >> the first time the public heard that target had been hacked on was december 18. the bridge itself actually began sometime before then. so what did target know and when did they know it? hackers began capturing credit card data on november 27. the malwarelater was spotted. target had paid $1.6 million because of its ability to detect hacking in real-time.

a security worker in india saudi fire eye alarm and send it to the minneapolis center. the alert is overlooked. december second, security tools detected another version. this red flag also goes undetected. had target acted on the alerts at this point they would have been able to prevent one of the biggest data thefts in history. instead, for more than two weeks the hackers collected credit card information i bounced around the globe to places like moscow. federal law enforcement notifies target they are seeing suspicious activity involving card payments at its stores. the retailer hires an independent team to run a forensic investigation and on december 15, target confirms it has been hacked and removes the malware. target issues its first public statement on december 19th, revealing that up to 40 million cards may have been compromised. 22 days later on january 10, target notifies customers that

in addition to credit card theft, personal information for up to 70 million customers has also been stolen, affecting as many as one third of american consumers. businessweek", such a fascinating story. the amount of detail in the story, what happened and how, and the fact that target did nothing when they first found out about it. >> we're going to talk a lot about this. i think the impact is important not just for target and not just for the tons of people affected but for every business involved in customers in technology, which would mean pretty much every business. >> michael riley, one of the authors of the story, joins us now. the headline on the story is, target blewett. -- how target blew it. how did they blow it and why? targeted all the right things

to prepare for this kind of event. they spend a lot of money in security and bought very sophisticated tools. fire eye catches the malware at an early stage and it is used by the cia and pentagon and intelligence agencies all over the world. they curated a security operations center, a headquarters where specialists sit and analyze data that is coming in and look at alerts. they have a round-the-clock monitoring service, including this new vendor in india. when the alerts -- when all the technology and money spent actually found the malware as it was coming in, the malware that would have been used to take the data out, the alert was recognized in bangalore. it went to minneapolis and nothing happened. failure at the core of this. why the sox did

not react. there is an issue of how security teams deal with these alerts in a timely manner. worked, and they spotted the malware in time and they did not do anything to stop it. from do have a response target and i want to read the full statement. they came back to you with a statement from the ceo, saying target was certified as meeting the standard for the payment card industry september 2013. we are still in the midst of an ongoing investigation. we have already taken significant steps, including beginning the overhaul of our information security structure.

target is facing some 90 different lawsuits. like you guys saw pass the mystery here about how this happened. that caughtfire eye this before anything was even stolen. >> what they are trying to do is figure out what actually went wrong on the human level. these findings were known to target as they went back, once they were notified by federal authorities that they had been hacked, they went back to see why all this expensive equipment and costly system they put together did not work. they did thatd as investigation is in fact that it did work. at least on the technology

level. the question is, where was the human fail along that line? did they not react quick enough? was there a management issue meaning they did not react to the alerts and they should have reacted? veryeye tends to be a specific, very good system that does not create a lot of false positives. attention did not pay to the systems they should have. are the ceo says there doing a complete top to bottom review of their security system, i think the company is trying to figure out, why did this happen, how is it they could have founded the malware in time and not done anything. >> where they used to using crummy tools, but in this case they got their hands on a good one and were used to ignoring the crummy responses i got in the past? >> this is part of the problem with the security system in general. we have seen a security boom in tools. there are a lot of really good tools out there. this is a set of next generation

tools that analyzes behavior and does not just look at digital signatures. all these big companies have a lot of legacy tools and older tools. they all have antivirus, which can put off tens of thousands of alerts in a day. there's a huge amount of information they have to go through. we talk to customers who use fire eye. the point out that you have to have a security team that can respond to it in time and get what you want. one of the ironies about this is a functionye has that whenever it spots a piece of malware, he can eliminated automatically. target had that function switched off. that unusual because the i.t. and security teams like to have that last step themselves. they like to be able to look and see what the problem is. when they came to the last step, they just did not do it. >> we are going to talk about what information was taken, who took it, where it went and how

it was used in the next block. i have to admit, i'm one of those people who is still scared to shop at target. how safe is it now? i think companies, especially when they suffer breaches like this, tend to try hard to learn from them. it is safe in the sense that on december 15, they were able to identify the malware on the pl systems. the way target systems work, they can reimage all their p.o.s. systems at once. after december 15, the hackers have been cleaned out and those cards are not at risk. there is a larger question of for target and other companies, is there system vulnerable in ways were hackers will continue to do this? one of the things about this hack is it was not very sophisticated. you guys doing it were not the best hackers in the world. they did some very smart thanks. a report was released two days

ago that said, if target had their act together, they should have found these guys out before they did. >> don't go anywhere. you are going to stay with us. up next, just how easy is it to buy a stolen credit card number on the black market? the secret websites that some call the amazon.com of credit card fraud. you can watch a streaming on your tablet, phone, or bloomberg.com and apple tv. ♪

>> welcome back to "bloomberg west." i'm emily chang. we are talking about the massive data breach at target. once the target hackers sold off those credit cards, they traffic them to the black market through the ukrainian hacker. believe sells stolen credit card information through several websites. i went to bring in the chief

technology officer at the computer forensic services, joining us through skype from annapolis. michael riley back with us as well. what is this person's role in this? >> his name is found inside the code of the malware that was installed on the target pos system. we know that he had something to do with the creation of this malware. essentially as a farmer. a farmer plants a crop, waits for it to grow, harvest sit and then takes that crop to market trade -- market. that is what is happened here. paint the underworld you described in your article and

its place in ukraine, where they apparently have conventions were a bunch of people get together and talk about how to use credit card information. they sell it, they buy it. describe this place to me. >> one of the things we know is that the cyber underground is becoming increasingly well the segmented -- wealth segmented machine. -- secret service describes comparable to the "ocean's 11" movie. guys will get together and do various parts of the hack. you can hire out or find somebody. ,nce they collect the cards they have a really efficient way of selling them. you can go onto some of the best sites -- they really do work like amazon.com. you sign in with a password, which you have to get from the ate's creator because you are

client or no to somebody. once you're in there, you can search cards by the brand, expiration date. you can search it by zip code. if you are buying these cards, you can do it in the same area sore the cards are issued they don't trigger fraud engines. then you just put your basket of stolen cards into an electronic checkout basket and you pay for it using bitcoin or western union or whatever currency they want to take. it is pretty automated. too bad target system security was not so easy to use. one of the interesting in michael story was the notion that this is not just a bunch of ys in a darkroom in eastern europe. this is a complex operation with spy like characteristics and involved fake id badges and people walking in secure buildings. physical security is most

important, but what troubles the most about this -- think of it like this. target paid $1.6 million for a smoke alarm and when it went off, they just took the battery out without seeing if there was any smoke in the room. mark, describe the way the black market works. the credit card numbers sell for $200.re from 600 to how quickly can they use them before they are detected? >> the analogy i used earlier is pretty spot on. areindividuals in russia making their money by selling this stolen information. they need to make it convenient, so they put together this amazon.com for this data. hackers toow

download or purchase very specific credit card information, even coming back to a certain billing zip code. they can purchase specific cards digits, thec for final four digits on a card in order to circumvent human security at the checkout. if you have ever purchased a tv at the checkout, the cashier will often ask you for the card and check the expiration date. they will check the last four digits to make sure that it matches up with the information stored on the magnetic stripe. these are very sophisticated customers of rescator. in your story, which is amazing the nice work and greatly detailed -- and wondering about prosecution and what happens. can they actually get their

hands on these guys? is there cooperation, cross-border cooperation? has that changed with the situation with russia and ukraine? >> the short answer is no. there are gangs that have been operating for years in russia and elsewhere in eastern europe. there was an indictment last year in new jersey that focused had gang like this one that been responsible for stealing 160 million credit cards at least from everyone from jet blue to citibank. a goes all the way back to the heartland payment systems. been operating for years, basically untouched in russia. u.s. law enforcement, it is not like they have not tried to do something. i talked to a former fbi agent on this the other day and he is like, it depends on the cooperation we get from the home country. name, a file,em a but if they will not respond, we

cannot do anything to lay hands on these guys. is the they have tried try to lure these guys out to different countries. they will lure people out to do a business deal or have a party in the netherlands and amsterdam on the pretext that they are another bad guy. if those guys get on a plane and fly to one of these countries where they have better law enforcement cooperation, they can actually lay hands on them. >> great idea. we will invite them on "bloomberg west." we will set them in the chair across from emily and i. rescator, if you're watching, come in, man. >> mark lanterman and michael riley, thank you. businessweek.com or pick up an issue of the magazine. and whatis your data

are companies really doing to protect it now? you can watch is streaming on your tablet, phone, and bloomberg.com. ♪

>> welcome back to "bloomberg west." i'm emily chang. turning back to the story of what went wrong at target and how companies deal with your credit card information. serve as anmay object lesson how not to screw up in the future. >> we have a perfect person here to discuss. take a lot of credit card companies. how do you deal with it? >> security on the internet is a difficult thing. it everyday.cus on we have a team dedicated and committed to it because it's all about trust and credibility.

the store you produced is a powerful one about human mistakes. the ceo came clean and said, this is a bad situation. >> well, eventually. to me this is part of the issue. this really felt like a political thriller. you have administration with an incompetent and slow response to an evolving problem that could have been headed off at the pass. many credit card numbers to you guys have, you think? >> we do over 3 million transactions this year alone. chegg has gotten very big in the business is going very strong. we started with textbook rental but now we do digital subscriptions to learning materials. >> how big is your security team? >> it is pretty significant. things we smartest did was my general counsel was at ebay for 10 years and this was his responsibility.

rosensweig, stick with us. we will talk more about the future of chegg. ♪

>> you are watching "bloomberg west." we focus on innovation, technology, and the future of business. i'm emily chang. go go out with fourth-quarter earnings. the company recorded 92.6 million dollars, an increase of of $22t a wider loss million. gogo announcing its first steps to launching internet service on japan airlines. joining us from new york is the ceo. with japaneal airlines. where else, when it comes to international expansion?

>> we are very excited about our international expansion. we have a deal with delta's international fleet and aero mexico. we hope those are the first three of very many. i am not a gogo follower, professionally. i am a user. can we talk about the difference between terrestrial wi-fi access for planes and satellite access for planes? >> our initial implementation was air to ground. we now have a global satellite network. we are technology agnostic. whatever solves the problem faster is what we use. mean an airplane that is already outfitted with access to your terrestrial broadcast will have to be re-outfitted to accept satellite? can they do both?

what is the cost difference? >> our solution with air to ground was low cost and quick to install. 2000 claims very quickly, and we also have it on 2000 business jets. our air to ground solution is not good for overwater and it's not great for some live television applications. planes forrade some those reasons, and upgrade those planes to get additional capacity. if you months ago we announced ground to orbit technology and it augments our air to ground with satellite antenna and will take the speed all the way up to 70 megabits per second over 20 times what we started with. have much more relaxed policies now on what devices we can use in. how does that affect you guys?

>> it reflects a trend of people want to be connected everywhere in the public will demand to be connected in-flight. some of the rules probably were outdated. the government and the airlines are relaxing those. it's all part of the mobile internet trend and the trend of the internet of things. lanes and passengers will be connected. >> back to the question of cost. for an airplane -- i'm trying to figure out where the low hanging fruit is. people who want any kind of wi-fi will go with you right away but what does it cost per commercial jet to install a new system that would be connecting either air to ground or air to satellite? >> we have not disclose those numbers but i can tell you that satellite is significantly more expensive than air to ground.

we believe it is a necessity for the airlines do have a connected aircraft not only for the passenger amenity but for them to manage the crew and plane and provide levels of service to as bookingngers such flights or monitoring the performance of the engines. since we share some of the revenue with the airlines, it is often value positive for the airlines. they get all the benefits for their airline and receive a check from gogo. >> i feel like we cannot have this conversation without talking about malaysia airlines flight 370. it is not up there that flight had -- does not appear that plane had wifi but if it did, would we have a better idea where this went off the map? tofirst, our hearts go out the families affected. there is a good likelihood that

if there was more connectivity to that plane, there would be much more information, some directly from the plane and also the passengers very likely would have been able to notify someone that something was going wrong if it had been a connected aircraft. >> i wonder about the usage case. certain time in cross country flight when there are so many people on the the service slows down. know about how much people use the service when their online and how much they are sending messages? what are they using it for? >> we have a lot of information about how people use our service . the core customer, the business traveler, e-mail is the most important. there is general web browsing and social media. yes, there is always demand for more bandwidth than we keep

upgrading our technology. we started with three megabits per second. to ten.akes it 70 megabitse it to per second for aircraft. >> what does it take for an airline to add wi-fi? a malaysiat airlines, for example, offer wi-fi? why wouldn't every airline offer wi-fi given the potential benefits? we believe that over the next planes virtually all the will be outfitted with wi-fi. it happened very quickly in the u.s. in about five years, most aircraft have wi-fi. air to ground work in the u.s. outside the u.s. it will take satellite technology. satellite technology is now coming into its own and it will happen around the globe.

they will all get installed. >> michael small, ceo of gogo. ♪

>> welcome back to "bloomberg west." i'm emily chang. are touringtalists millions into publishing and media these days. jeff bezos really -- recently bought the "washington post." mark andreessen says were on the verge of a boom in journalism. how many are going to cash in on content? our next guest made the move from journalism to venture capital. us, chegg ceoh dan rosensweig. you have a very well known blog. you were in tech journalism for 20 years? i will try not to date you. [laughter]

how has the transition been from journalism? >> it has been 15 days. i don't think there is much of a difference except i don't have a publishing deadline, which is kind of cool. get to not worry about writing a story in the middle of the and worrying about what is going on in the planet. that is the big change. otherwise a lot of things are the same. i meet a lot of people, and talking to a lot of startups and small people. my day still starts at 5:00. >> you are not the first guy to do this. mark morris did this at sequoia. >> no pressure. a how does your prior life as journalist put you in a better position to spot potential winners out there? >> one of the key things as a journalist, which i at least

think about myself, is that i have had 20 odd years to figure out how to think about the future, try and see what trends are coming. to be more prepared for the future. i thought it was easier to write stories about companies which were going to be interesting, like writing about skype and learning about skype when broadband was taking off made perfect sense. i am probably going to apply the same logic i had to this new life of mine. also, i think as journalism prepares you for listening, which is something we do not do very well in silicon valley. we do not like to listen very much. plus, there is a bunch of other things which i have learned over the last eight years as running a startup. om is a blog, but it is a

company now. >> we were all in magazine publishing in the 1990's. i feel like there are some lessons that directly apply not just to journalists. what do you think are the things that media people know that the rest of the world do not, whether it is from the publishing side or the journalistic side? >> if they do it well -- and i'm certain you will -- what they understand is what people care about. cover whatly want to the audience cares about. what will people care about, how will they use it, will it have an impact. they should not cover it if it does not trade if you look at the history of what om covered, it was interesting things people new were going to matter. it was not covering news after the fact. that's the kind of insight that

i think he can bring and other really good journalists historically can bring to these things. of you are in such a good position to discuss where we are in the latest cycle. we have heard the term bubble 2.0, valuations are so high. what do you think of valuations right now, of the fact that a company like pinterest is valued highly? --80% of its traffic is coming from mobile. if that is where the future of commerce is, then pinterest is in the middle of it, that tells you how big the opportunity remains to be seen for them. mobile commerce is a massive business. from that standpoint, is it overvalued? yes, in some logical sense, but not overvalued because the

future is going to be involved as a company in transactions. what ift journalism thought was forever in 2005. i did not know what strengths i was going to bring. guys who could do a casual analysis in a second did not know how to pick up a phone and call a stranger and get that stranger to tell them something valuable. that journalism is moving away from that. there's a lot of re-writes. when you look at the journalistic models out there, when we have so very little truly original content, just a lot of reaction content -- you see the models of journalism changing. >> the internet requires better editors and better journalism. andreessen says we're on the cusp of something big because we have gone through the cycle of what you just described, which is re-tweets.

when people spend time writing original content, we are beginning to see. if you look at a buzzfeed or "h uffington post," or if you look at what om did for years and years, high-quality will find an audience. rush forculty is the eyeballs or for insane valuations with no revenue causes people to not do the sustainable thing. those that do focus on it 20 years later, you see the value in it. >> do you think the valuations are insane? public company, private valuations are very difficult to understand. market. it's a when there's a lot of capital and competition to get into these companies, there will be a lot of money poorly spent. however, some of these companies will be well worth what they are invested in and a lot more. i cannot discussed whether

worth $4 is or is not billion. it is to somebody. if you could own mobile business, it will be worth way more than that. somebody is stating they can figure that out. you look at companies like air b&b. that will be one of the most important companies we have seen. i think it is worth more. that is what a market is about. >> it is also whatsapp. we will talk more about that after this quick commercial break. ♪

>> welcome back to "bloomberg west." facebook is offering video ads to select partners after months of testing. facebook is also testing features that companies can

apply to the ads, like scheduling what time of day and how anars as scheduling ad appears. we are back now with om malik of true ventures and dan rosensweig, the ceo of chegg, the only guy in the world who ever got mark zuckerberg to agree to sell his company. what happened there? >> it was early on and they had four and a half million users. i had met mark. we were both born in roxbury, new york. i listen to his vision and story and his confidence. talk about being bossy. i fell in love with him and where he was going. that was only when you could connect college to college. he had a about it and vision to take over the world, which you see him doing now. the combination would have been extraordinarily powerful and mark agreed to do it. the famous line, what is really cool is a billion. that was the offer. >> you got him to agree to sell

facebook to yahoo! for $1 billion. he backed out. what is it like negotiating with mark zuckerberg? what is different today? think about these companies like instagram and whatsapp that are all negotiating to a certain extent with him. >> he has a charisma that most people who do not spend a lot of time with him don't understand, which is the power of the enormity of his vision and the confidence they will figure it out, his willingness to make a mistake and fix it. all of those things, he is relentless in what he believes in and that is why facebook is so powerful. you need somebody like that if you're going to run the world. >> let me ask you about your observation of dealmakers in your work as a journalist. one of your excerpt -- expertise is is on enterprise deals. what you think you will bring to

your new career as a vc having seen these deals work and not work? >> the key difference in deals which don't work and do work is relationships and ability to communicate. is the difference between winning and losing, inability of people to communicate is the number one reason things don't work out in the business world. is so important for founders to understand that they are dealing with people on the other side. they are not dealing with a number. the number is essentially a number. i think there is a deal between mark and whatsapp got done because he established a connection. mark established a connection with kevin. >> i was going to say the same thing. fact heere after the has been working on these guys for a couple of years. >> even when i was working with

facebook, we worked on that discussion for over a year. it was well over a year. met him, had dinner with him many times. >> you also got mark to hire sheryl sandberg. >> i introduce them. nobody gets sheryl or mark to do anything. she's not a number to kind of gal. >> she's not in number two kind of anything and neither is he. -- it ising interesting how all of this comes together. silicon valley people want to win. they want a mission, they want a mission that matters and they want to be an organization that wins. some of these folks say, i can win faster if i'm with facebook because i believe in that team. it is that confidence and trust and respect the gets these things done and makes them work. >> mark zuckerberg looks great right now.

everyone seems to have confidence that he can make the best of these acquisitions and these will not be viewed as wrong moves in hindsight. but how do we really know that? what makes him so special? why can he buy versus build innovation and that can be ok? >> i think the key to understanding mark or anybody like him is to understand that they have an innate confidence in themselves. the confidence in themselves means they are ok being wrong. people who think they can only win without being wrong, they never win. mark is one of those guys -- he will take his punch and come back with a conquer attack and do a better job. whether whatsapp works out or not, it is a risk worth taking. look what he's using, a stock which is pretty inflated.

cisco used to do that. sometimes half the cisco deals worked out and have did not work out. when they did, you end up with a product like the cisco switch. that is the same thing with mark. now that you have a publicly traded stock [indiscernible] you are aware of this. do you look at deals and try to figure out how the integration will be just as hard as the decision to do it? >> you have to look at the whole spectrum. the magic of some of these deals you see, a lot of these things are not businesses. they are very small teams. there may be zero integrations. it is more of a cultural fit. and do they agree on how they're going to run it? when you buy an actual business with a p&l on long-term culture, those are much harder and those do not work out nearly as well

as these. >> we have to leavet here. thank you both and thank you all for watching. ♪ .>> welcome to "lunch money."

>> welcome to "lunch money." i'm adam johnson. in company, target. the retail giant had one of the largest data breaches in history. this a bloomberg businessweek investigation. wall street and washington. a lovely relationship. plowing through retail sales. is the white house strategy working echo time to get your last run in for the ski season. one mountain for experts only. we're k