>> live from pier three in san francisco, welcome to "bloomberg west." we cover innovation, technology, and the future of business. i'm emily chang. easy target after the investigation into the massive data breach that exposed 40 million credit and debit card numbers. target security systems quickly detected the hack attack but executives did nothing. we spend the next half hour diving deep into the story, looking at what went wrong and when, and the secret black market for credit card

information and the underworld of carters who trade it. mark zuckerberg just revealed that he personally called president obama. he said he called the president to express his frustration over the government surveillance programs, telling president obama that government surveillance is damaging the internet's future. he also writes that to keep the internet strong, we need to keep it secure. the ceo of ebay is stepping up his attack against carl icahn, who wants ebay to spin off paypal. donahoe has consulted with other icahn targets, including netflix, deferred vice on how to handle icahn. donahoe also met with institutional investors to make a pitch to paypal along with ebay. amazon is raising the price of its amazon prime membership. current members are being sent reminders about their renewal

dates, and when they have to pay the higher cost. the move is expected to generate millions in additional revenue for amazon. now, to the inside story of that massive target data breach. we start with a look back at the timeline of events that led to the data theft that touch as many as one in three american consumers. >> the first time the public heard that target had been hacked on was december 18. the bridge itself actually began sometime before then. so what did target know and when did they know it? hackers began capturing credit card data on november 27. three years later the malware was spotted. target had paid $1.6 million because of its ability to detect hacking in real-time. a security worker in india saudi fire eye alarm and send it to

the minneapolis center. the alert is overlooked. december second, security tools detected another version. this red flag also goes undetected. had target acted on the alerts at this point they would have been able to prevent one of the biggest data thefts in history. instead, for more than two weeks the hackers collected credit card information i bounced around the globe to places like moscow. federal law enforcement notifies target they are seeing suspicious activity involving card payments at its stores. the retailer hires an independent team to run a forensic investigation and on december 15, target confirms it has been hacked and removes the malware. target issues its first public statement on december 19th, revealing that up to 40 million cards may have been compromised. 22 days later on january 10, target notifies customers that in addition to credit card theft, personal information for up to 70 million customers has

also been stolen, affecting as many as one third of american consumers. >> "bloomberg businessweek", such a fascinating story. the amount of detail in the story, what happened and how, and the fact that target did nothing when they first found out about it. >> we're going to talk a lot about this. i think the impact is important not just for target and not just for the tons of people affected but for every business involved in customers in technology, which would mean pretty much every business. >> michael riley, one of the authors of the story, joins us now. the headline on the story is, how target blew it. how did they blow it and why?

>> targeted all the right things to prepare for this kind of event. they spend a lot of money in security and bought very sophisticated tools. fire eye catches the malware at an early stage and it is used by the cia and pentagon and intelligence agencies all over the world. they curated a security operations center, a headquarters where specialists sit and analyze data that is coming in and look at alerts. they have a round-the-clock monitoring service, including this new vendor in india. when the alerts -- when all the technology and money spent actually found the malware as it was coming in, the malware that would have been used to take the data out, the alert was recognized in bangalore. it went to minneapolis and nothing happened. there's a human failure at the core of this. it is unclear why the sox did not react. there is an issue of how

security teams deal with these alerts in a timely manner. their tools worked, and they spotted the malware in time and they did not do anything to stop it. >> we do have a response from target and i want to read the full statement. they came back to you with a statement from the ceo, saying target was certified as meeting the standard for the payment card industry september 2013. we are still in the midst of an ongoing investigation. we have already taken significant steps, including beginning the overhaul of our information security structure. target is facing some 90

different lawsuits. it seemed like you guys saw pass the mystery here about how this happened. the role of fire eye that caught this before anything was even stolen. >> what they are trying to do is figure out what actually went wrong on the human level. these findings were known to target as they went back, once they were notified by federal authorities that they had been hacked, they went back to see why all this expensive equipment and costly system they put together did not work. what they found as they did that investigation is in fact that it did work. at least on the technology

level. the question is, where was the human fail along that line? did they not react quick enough? was there a management issue meaning they did not react to the alerts and they should have reacted? fire eye tends to be a very specific, very good system that does not create a lot of false positives. maybe they did not pay attention to the systems they should have. when the ceo says there are doing a complete top to bottom review of their security system, i think the company is trying to figure out, why did this happen, how is it they could have founded the malware in time and not done anything. >> where they used to using crummy tools, but in this case they got their hands on a good one and were used to ignoring the crummy responses i got in the past? >> this is part of the problem with the security system in general. we have seen a security boom in tools. there are a lot of really good

tools out there. this is a set of next generation tools that analyzes behavior and does not just look at digital signatures. all these big companies have a lot of legacy tools and older tools. they all have antivirus, which can put off tens of thousands of alerts in a day. there's a huge amount of information they have to go through. we talk to customers who use fire eye. the point out that you have to have a security team that can respond to it in time and get what you want. one of the ironies about this is that fire eye has a function that whenever it spots a piece of malware, he can eliminated automatically. target had that function switched off. it is not that unusual because the i.t. and security teams like to have that last step themselves. they like to be able to look and see what the problem is. when they came to the last step, they just did not do it. >> we are going to talk about what information was taken, who took it, where it went and how it was used in the next block. i have to admit, i'm one of

those people who is still scared to shop at target. how safe is it now? >> i think companies, especially when they suffer breaches like this, tend to try hard to learn from them. it is safe in the sense that on december 15, they were able to identify the malware on the pl systems. the way target systems work, they can reimage all their p.o.s. systems at once. after december 15, the hackers have been cleaned out and those cards are not at risk. there is a larger question of for target and other companies, is there system vulnerable in ways were hackers will continue to do this? one of the things about this hack is it was not very sophisticated. you guys doing it were not the best hackers in the world. they did some very smart thanks. a report was released two days

ago that said, if target had their act together, they should have found these guys out before they did. >> don't go anywhere. you are going to stay with us. up next, just how easy is it to buy a stolen credit card number on the black market? the secret websites that some call the amazon.com of credit card fraud. you can watch a streaming on your tablet, phone, or bloomberg.com and apple tv. ♪

>> welcome back to "bloomberg west." i'm emily chang. we are talking about the massive data breach at target. once the target hackers sold off those credit cards, they traffic them to the black market through the ukrainian hacker. i personally believe sells stolen credit card information through several websites. i went to bring in the chief technology officer at the computer forensic services, joining us through skype from

annapolis. michael riley back with us as well. mark, what is this person's role in this? >> his name is found inside the code of the malware that was installed on the target pos system. we know that he had something to do with the creation of this malware. i think of him essentially as a farmer. a farmer plants a crop, waits for it to grow, harvest sit and then takes that crop to market. that is what is happened here. >> paint the underworld you described in your article and its place in ukraine, where they

apparently have conventions were a bunch of people get together and talk about how to use credit card information. they sell it, they buy it. describe this place to me. >> one of the things we know is that the cyber underground is becoming increasingly well the segmented -- wealth segmented machine. the secret service describes -- comparable to the "ocean's 11" movie. guys will get together and do various parts of the hack. you can hire out or find somebody. once they collect the cards, they have a really efficient way of selling them. you can go onto some of the best sites -- they really do work like amazon.com. you sign in with a password, which you have to get from the site's creator because you are a client or no to somebody.

once you're in there, you can search cards by the brand, expiration date. you can search it by zip code. if you are buying these cards, you can do it in the same area where the cards are issued so they don't trigger fraud engines. then you just put your basket of stolen cards into an electronic checkout basket and you pay for it using bitcoin or western union or whatever currency they want to take. it is pretty automated. >> too bad target system security was not so easy to use. one of the interesting in michael story was the notion that this is not just a bunch of guys in a darkroom in eastern europe. this is a complex operation with spy like characteristics and involved fake id badges and people walking in secure buildings. >> physical security is most

important, but what troubles the most about this -- think of it like this. target paid $1.6 million for a smoke alarm and when it went off, they just took the battery out without seeing if there was any smoke in the room. >> mark, describe the way the black market works. the credit card numbers sell for anywhere from 600 to $200. how quickly can they use them before they are detected? >> the analogy i used earlier is pretty spot on. the individuals in russia are making their money by selling this stolen information. they need to make it convenient, so they put together this amazon.com for this data. ed does allow hackers to download or purchase very

specific credit card information, even coming back to a certain billing zip code. they can purchase specific cards with specific for digits, the final four digits on a card in order to circumvent human security at the checkout. if you have ever purchased a tv at the checkout, the cashier will often ask you for the card and check the expiration date. they will check the last four digits to make sure that it matches up with the information stored on the magnetic stripe. these are very sophisticated customers of rescator. >> in your story, which is amazing the nice work and greatly detailed -- and wondering about prosecution and what happens. can they actually get their

hands on these guys? is there cooperation, cross-border cooperation? has that changed with the situation with russia and ukraine? >> the short answer is no. there are gangs that have been operating for years in russia and elsewhere in eastern europe. there was an indictment last year in new jersey that focused on a gang like this one that had been responsible for stealing 160 million credit cards at least from everyone from jet blue to citibank. a goes all the way back to the heartland payment systems. those guys have been operating for years, basically untouched in russia. u.s. law enforcement, it is not like they have not tried to do something. i talked to a former fbi agent on this the other day and he is like, it depends on the cooperation we get from the home

country. we can give them a name, a file, but if they will not respond, we cannot do anything to lay hands on these guys. the one they have tried is the try to lure these guys out to different countries. they will lure people out to do a business deal or have a party in the netherlands and amsterdam on the pretext that they are another bad guy. if those guys get on a plane and fly to one of these countries where they have better law enforcement cooperation, they can actually lay hands on them. >> great idea. we will invite them on "bloomberg west." we will set them in the chair across from emily and i. rescator, if you're watching, come in, man. >> mark lanterman and michael riley, thank you. businessweek.com or pick up an issue of the magazine. how safe is your data and what are companies really doing to protect it now? you can watch is streaming on your tablet, phone, and bloomberg.com.

♪

>> welcome back to "bloomberg west." i'm emily chang. turning back to the story of what went wrong at target and how companies deal with your credit card information. >> how this may serve as an object lesson how not to screw up in the future. >> we have a perfect person here to discuss. you guys take a lot of credit card companies. how do you deal with it? >> security on the internet is a difficult thing. we have to focus on it everyday. we have a team dedicated and committed to it because it's all about trust and credibility. the store you produced is a powerful one about human

mistakes. the ceo came clean and said, this is a bad situation. >> well, eventually. to me this is part of the issue. this really felt like a political thriller. you have administration with an incompetent and slow response to an evolving problem that could have been headed off at the pass. how many credit card numbers to you guys have, you think? >> we do over 3 million transactions this year alone. chegg has gotten very big in the business is going very strong. we started with textbook rental but now we do digital subscriptions to learning materials. >> how big is your security team? >> it is pretty significant. one of the smartest things we did was my general counsel was at ebay for 10 years and this was his responsibility. >> dan rosensweig, stick with us.

we will talk more about the future of chegg. ♪

>> you are watching "bloomberg west." we focus on innovation, technology, and the future of business. i'm emily chang. go go out with fourth-quarter earnings. the company recorded 92.6 million dollars, an increase of 46%, but a wider loss of $22 million. gogo announcing its first steps to launching internet service on japan airlines. joining us from new york is the ceo. you got a deal with japan airlines. where else, when it comes to international expansion?

>> we are very excited about our international expansion. we have a deal with delta's international fleet and aero mexico. we hope those are the first three of very many. >> i am not a gogo follower, professionally. i am a user. can we talk about the difference between terrestrial wi-fi access for planes and satellite access for planes? >> our initial implementation was air to ground. we now have a global satellite network. we are technology agnostic. whatever solves the problem faster is what we use. >> does that mean an airplane that is already outfitted with access to your terrestrial broadcast will have to be re-outfitted to accept satellite?

can they do both? what is the cost difference? >> our solution with air to ground was low cost and quick to install. we got it on 2000 claims very quickly, and we also have it on 2000 business jets. our air to ground solution is not good for overwater and it's not great for some live television applications. we will upgrade some planes for those reasons, and upgrade those planes to get additional capacity. if you months ago we announced ground to orbit technology and it augments our air to ground with satellite antenna and will take the speed all the way up to 70 megabits per second over 20 times what we started with. >> airlines have much more relaxed policies now on what devices we can use in. how does that affect you guys?

>> it reflects a trend of people want to be connected everywhere in the public will demand to be connected in-flight. some of the rules probably were outdated. the government and the airlines are relaxing those. it's all part of the mobile internet trend and the trend of the internet of things. lanes and passengers will be connected. >> back to the question of cost. for an airplane -- i'm trying to figure out where the low hanging fruit is. people who want any kind of wi-fi will go with you right away but what does it cost per commercial jet to install a new system that would be connecting either air to ground or air to satellite? >> we have not disclose those numbers but i can tell you that satellite is significantly more expensive than air to ground. we believe it is a necessity for

the airlines do have a connected aircraft not only for the passenger amenity but for them to manage the crew and plane and provide levels of service to their passengers such as booking flights or monitoring the performance of the engines. since we share some of the revenue with the airlines, it is often value positive for the airlines. they get all the benefits for their airline and receive a check from gogo. >> i feel like we cannot have this conversation without talking about malaysia airlines flight 370. it is not up there that flight had -- does not appear that plane had wifi but if it did, would we have a better idea where this went off the map? >> first, our hearts go out to the families affected. there is a good likelihood that if there was more connectivity

to that plane, there would be much more information, some directly from the plane and also the passengers very likely would have been able to notify someone that something was going wrong if it had been a connected aircraft. >> i wonder about the usage case. there's a certain time in cross country flight when there are so many people on the the service slows down. what do you know about how much people use the service when their online and how much they are sending messages? what are they using it for? >> we have a lot of information about how people use our service. the core customer, the business traveler, e-mail is the most important. there is general web browsing and social media. yes, there is always demand for more bandwidth than we keep upgrading our technology.

we started with three megabits per second. now it takes it to ten. gto will take it to 70 megabits per second for aircraft. >> what does it take for an airline to add wi-fi? why wouldn't a malaysia airlines, for example, offer wi-fi? why wouldn't every airline offer wi-fi given the potential benefits? >> we believe that over the next decade, virtually all the planes will be outfitted with wi-fi. it happened very quickly in the u.s. in about five years, most aircraft have wi-fi. air to ground work in the u.s. outside the u.s. it will take satellite technology. satellite technology is now coming into its own and it will happen around the globe. they will all get installed.

>> michael small, ceo of gogo. ♪

>> welcome back to "bloomberg west." i'm emily chang. venture capitalists are touring millions into publishing and media these days. jeff bezos recently bought the "washington post." mark andreessen says were on the verge of a boom in journalism. how many are going to cash in on content? our next guest made the move from journalism to venture capital. also still with us, chegg ceo dan rosensweig. you have a very well known blog. you were in tech journalism for 20 years? i will try not to date you.

[laughter] how has the transition been from journalism? >> it has been 15 days. i don't think there is much of a difference except i don't have a publishing deadline, which is kind of cool. i get to not worry about writing a story in the middle of the night and worrying about what is going on in the planet. that is the big change. otherwise a lot of things are the same. i meet a lot of people, and talking to a lot of startups and small people. my day still starts at 5:00. >> you are not the first guy to do this. mark morris did this at sequoia. >> no pressure. >> how does your prior life as a journalist put you in a better position to spot potential winners out there? >> one of the key things as a journalist, which i at least think about myself, is that i

have had 20 odd years to figure out how to think about the future, try and see what trends are coming. to be more prepared for the future. i thought it was easier to write stories about companies which were going to be interesting, like writing about skype and learning about skype when broadband was taking off made perfect sense. i am probably going to apply the same logic i had to this new life of mine. also, i think as journalism prepares you for listening, which is something we do not do very well in silicon valley. we do not like to listen very much. plus, there is a bunch of other things which i have learned over the last eight years as running a startup. gig om is a blog, but it is a company now.

>> we were all in magazine publishing in the 1990's. i feel like there are some lessons that directly apply not just to journalists. what do you think are the things that media people know that the rest of the world do not, whether it is from the publishing side or the journalistic side? >> if they do it well -- and i'm certain you will -- what they understand is what people care about. you guys only want to cover what the audience cares about. what will people care about, how will they use it, will it have an impact. they should not cover it if it does not trade if you look at the history of what om covered, it was interesting things people new were going to matter. it was not covering news after the fact. that's the kind of insight that

i think he can bring and other really good journalists historically can bring to these things. >> all three of you are in such a good position to discuss where we are in the latest cycle. we have heard the term bubble 2.0, valuations are so high. what do you think of valuations right now, of the fact that a company like pinterest is valued so highly? >> pinterest -- 80% of its traffic is coming from mobile. if that is where the future of commerce is, then pinterest is in the middle of it, that tells you how big the opportunity remains to be seen for them. mobile commerce is a massive business. from that standpoint, is it overvalued? yes, in some logical sense, but not overvalued because the

future is going to be involved as a company in transactions. >> i left journalism what i thought was forever in 2005. i did not know what strengths i was going to bring. there were guys who could do a casual analysis in a second did not know how to pick up a phone and call a stranger and get that stranger to tell them something valuable. i also see that journalism is moving away from that. there's a lot of re-writes. when you look at the journalistic models out there, when we have so very little truly original content, just a lot of reaction content -- you see the models of journalism changing. >> the internet requires better editors and better journalism. andreessen says we're on the cusp of something big because we have gone through the cycle of what you just described, which is re-tweets. when people spend time writing

original content, we are beginning to see. if you look at a buzzfeed or "huffington post," or if you look at what om did for years and years, high-quality will find an audience. the difficulty is the rush for eyeballs or for insane valuations with no revenue causes people to not do the sustainable thing. those that do focus on it 20 years later, you see the value in it. >> do you think the valuations are insane? >> as a public company, private valuations are very difficult to understand. however, it's a market. when there's a lot of capital and competition to get into these companies, there will be a lot of money poorly spent. however, some of these companies will be well worth what they are invested in and a lot more. i cannot discussed whether

pinterest is or is not worth $4 billion. it is to somebody. if you could own mobile business, it will be worth way more than that. somebody is stating they can figure that out. you look at companies like air b&b. that will be one of the most important companies we have seen. i think it is worth more. that is what a market is about. >> it is also whatsapp. we will talk more about that after this quick commercial break. ♪

>> welcome back to "bloomberg west." facebook is offering video ads to select partners after months of testing. facebook is also testing features that companies can apply to the ads, like scheduling what time of day and ad appears as scheduling how an

ad appears. we are back now with om malik of true ventures and dan rosensweig, the ceo of chegg, the only guy in the world who ever got mark zuckerberg to agree to sell his company. what happened there? >> it was early on and they had four and a half million users. i had met mark. we were both born in roxbury, new york. i listen to his vision and story and his confidence. talk about being bossy. i fell in love with him and where he was going. that was only when you could connect college to college. we talked about it and he had a vision to take over the world, which you see him doing now. the combination would have been extraordinarily powerful and mark agreed to do it. the famous line, what is really cool is a billion. that was the offer.

>> you got him to agree to sell facebook to yahoo! for $1 billion. he backed out. what is it like negotiating with mark zuckerberg? what is different today? think about these companies like instagram and whatsapp that are all negotiating to a certain extent with him. >> he has a charisma that most people who do not spend a lot of time with him don't understand, which is the power of the enormity of his vision and the confidence they will figure it out, his willingness to make a mistake and fix it. remember all of those things, he is relentless in what he believes in and that is why facebook is so powerful. you need somebody like that if you're going to run the world. >> let me ask you about your observation of dealmakers in your work as a journalist. one of your expertise is is on enterprise deals. what you think you will bring to your new career as a vc having seen these deals work and not

work? >> the key difference in deals which don't work and do work is relationships and ability to communicate. that is the difference between winning and losing, inability of people to communicate is the number one reason things don't work out in the business world. it is so important for founders to understand that they are dealing with people on the other side. they are not dealing with a number. the number is essentially a number. i think there is a deal between mark and whatsapp got done because he established a connection. mark established a connection with kevin. >> i was going to say the same thing. >> you here after the fact he has been working on these guys for a couple of years. >> even when i was working with facebook, we worked on that discussion for over a year.

it was well over a year. met him, had dinner with him many times. >> you also got mark to hire sheryl sandberg. >> i introduce them. nobody gets sheryl or mark to do anything. she's not a number to kind of gal. >> she's not in number two kind of anything and neither is he. brian asking -- it is interesting how all of this comes together. silicon valley people want to win. they want a mission, they want a mission that matters and they want to be an organization that wins. some of these folks say, i can win faster if i'm with facebook because i believe in that team. it is that confidence and trust and respect the gets these

things done and makes them work. >> mark zuckerberg looks great right now. everyone seems to have confidence that he can make the best of these acquisitions and these will not be viewed as wrong moves in hindsight. but how do we really know that? what makes him so special? why can he buy versus build innovation and that can be ok? >> i think the key to understanding mark or anybody like him is to understand that they have an innate confidence in themselves. the confidence in themselves means they are ok being wrong. people who think they can only win without being wrong, they never win. mark is one of those guys -- he will take his punch and come back with a conquer attack and do a better job. whether whatsapp works out or not, it is a risk worth taking. look what he's using, a stock which is pretty inflated. cisco used to do that.

sometimes half the cisco deals worked out and have did not work out. when they did, you end up with a product like the cisco switch. that is the same thing with mark. >> now that you have a publicly traded stock [indiscernible] you are aware of this. do you look at deals and try to figure out how the integration will be just as hard as the decision to do it? >> you have to look at the whole spectrum. the magic of some of these deals you see, a lot of these things are not businesses. they are very small teams. there may be zero integrations. it is more of a cultural fit. and do they agree on how they're going to run it? when you buy an actual business with a p&l on long-term culture, those are much harder and those do not work out nearly as well

as these. >> we have to leave it here. thank you both and thank you all for watching. ♪

>> the following is a paid advertisement from starvista entertainment and time life. ♪ listen to the music ♪ even the nights are better