Target Data Breach
Target Data Breach
More than a year ago, the country was rocked by the Target data breach when Target shoppers got an unwelcomed holiday surprise in December 2013 when it was reported that over 40 million Target credit card numbers had been stolen (Hardekopf, 2015). The data breach happened between November 27 and December 15 with over 11 GB of data stolen. Initially, Target missed the internal alerts and only found out about the data breach when they were contacted by the Department of Justice.
Although the details of how the data breach occurred was not available information to the public, sources suggest that the breach transpired first when the attackers may have included a Google search that would give then a great deal of information about how Target interacts with its vendors. This investigation would have also revealed a detailed study that describes how Target use their security software to deploy security patches and system updates and also would describe their technical infrastructure which include the POS system information in a significant detail (Radichel, 2014, p. 2).
The cost of the data breach affected Target customers, employees and the banks. Many high raking employees lost their jobs which includes the company CEO and CIO. Some of the members of the board of directors were also threatened with removal. The banks had to refund the money which were stolen from the customers and paid for the replacement cards which cost more than $200 million. Target was filed with more than 140 lawsuits and the banks sued Target’s PCI compliance auditor, Trustwave. Overall, the company profit dropped 46% during the fourth quarter of 2013 and customer visits dropped in the New Year which prolonged the losses (Radichel, 2014, p. 4).
What happened to Target was called a data breach. It is when an organization that has been entrusted with sensitive data suddenly loses control of this data. Data breach does not necessarily involve theft, some of the data breaches happen when the hard drives get lost during transport. Target’s data breach started on November 29, 2013 or during the “Black Friday” shopping season. An unknown group or groups of hackers penetrated at least two of Target’s computer systems. This intrusion continued until December 15, 2013 when Target discovered the penetration and then decided to shut down (Scharr, 2013).
According to reports, there have been two kinds of information that was compromised. The first kind was the credit and debit card data. This data is found on the magnetic stripes located at the back of the cards and this replicates some of the information that is printed on the card which includes the cardholder’s name and expiration date. Another data that was compromised was the four digit personal identification numbers or PINs of debit cards. Debit card PINs are data that are not stored on the cards, however the thieves were able to steal this data in the heavily encrypted form. This indicates that the Target's point-of-sale payment system which transfers the PINs to the centralized servers as the customers type them was successfully attacked by the hackers (Wagenseil, 2014).
The second kind of data that was stolen from the company was the personally identifiable information. In this case, this includes the names, addresses, email addresses and telephone numbers of the 70 million individuals that are connected with Target. This data could be used to steal the cardholder’s identity to be able to fraudulently open bank accounts or issue loans (Wagenseil, 2014). According to reports, online criminals from Eastern Europe could be behind some of the biggest data breaches in the country. These Eastern European online criminals are always active, however, there are also American led group of hackers who have carried out the biggest data breaches in history which affected TJX Corporation in 2007 and Heartland Payment Systems in 2009 (McEntegart, 2006).
It was reported that on January 12 2014, Target’s CEO, Gregg Steinhafel said in an interview that the incident involved the penetration of the point-of-sale terminals at the checkout counters. They found several strains of malware that infected these terminals, however, he did not provide specific details on them matter. On the same day, Reuters reported that there were several features on the data breach incident which does not only involve Target but also some retailers like Neiman Marcus. The report stated that there was the use of a technique called “RAM Scrapping” which is a process that captures the data while it is still in a computer’s working memory before it is encrypted for storage or transmission.
It is likely that the attackers were able to move freely around Target’s internal computer network after initial infiltration since they were able access two different sets of data. The information on how the attackers got into the retailer’s system was not made public. Security experts speculated that this could be a result of an inside job. Even if five other retailers became victims of the same incident, it is more likely that the hackers have found a common weak spots in the systems through which they were able to insert the malware. The fact that a number of Target stores were affected by the data breach only implies that the infection of the malware took place in the centralized payment processing system before it was distributed through the network to the retail stores in the country (Wagenseil, 2014).
After the massive data breach, Target then worked on the developing high security cards. The company ramped its efforts to make their services more secure. After the incident, Target’s Chief Financial Officer, John Mulligan made a statement saying that the firm is adopting chip-enabled smart cards that would dramatically improve the security of the debit and credit cards in the retail. These cards reportedly contain small microprocessors which will make it more difficult to hack and steal data. It was actually a project that was started even before the data breach, and now, the $100 million project has been accelerated. The smart cards have tiny microprocessor chips that will encrypt the personal data which is shared with the sale terminals that are being used by the merchants. This will make the stealing of the card number useless since the chip would be needed to be able to steal valuable other information (Osborne, 2014).
Target also disclosed that even during the time of the incident investigation, they have taken significant actions to further strengthen their security across the network. First, they have enhanced their monitoring and logging systems by implementing additional rules, alerts and enabled logging capabilities. They have also installed whitelisting point-of-sale systems which include deployment to all cash registers, servers and development of whitelisting rules. The implementation of the enhanced segmentation was also done by developing point-of-sale management tools and a comprehensive firewall governance process. Lastly, they have enhanced customer’s security in their accounts. According to the company website, they have coordinated a reset of 445,000 Target team member and contractor passwords and expanded their password vaults. They have also deactivated several vendor accounts, condensed privileges of several accounts and developed additional training that is related to password rotation ("updates on Target’s security and technology enhancements," 2014).
References
Hardekopf, B. (2015, January 13). The Big Data Breaches of 2014 - Forbes. Retrieved from http://www.forbes.com/sites/moneybuilder/2015/01/13/the-big-data-breaches-of-2014/
McEntegart, J. (2006, August 6). 11 Arrested in Nation's Biggest Case of Hacking and Identity Theft. Retrieved July 1, 2015, from http://www.tomsguide.com/us/11-identity-theft-arrests-41m,news-2239.html
Osborne, C. (2014, February 4). After data breach, Target develops high-security credit cards | ZDNet. Retrieved July 1, 2015, from http://www.zdnet.com/article/after-data-breach-target-develops-high-security-credit-cards/
Radichel, T. (2014). Case Study: Critical Controls that Could Have Prevented Target Breach. SANS Institute InfoSec Reading Room.
Scharr, J. (2013, December 18). UPDATED: Target Customers Targeted in Massive Data Breach. Retrieved July 1, 2015, from http://www.tomsguide.com/us/target-data-breach,news-18003.html
updates on Target’s security and technology enhancements. (2014, April 29). Retrieved July 1, 2015, from https://corporate.target.com/article/2014/04/updates-on-target-s-security-and-technology-enhanc
Wagenseil, P. (2014, January 14). Target Data Breach - FAQ - What to Do Now - Tom’s Guide. Retrieved from http://www.tomsguide.com/us/target-neiman-marcus-data-breach-faq,news-18199.html
