Case Study: Target Data Breach of 2013

Posted by jcamp048 on

If history has taught us anything, it’s that if there’s a will there’s a way. Technology has come leaps and bounds over the last half-century, but along with that ascension has been a tremendous rise in cyber attacks and cyber related crimes. These started off with small viruses and bots with no inherent danger, but have since escalated to heights that cause lasting financial and societal impacts. One of the most notorious cyber attacks was the Target data breach in 2013, leaving the company and its customers in its wake during the 2013 holiday shopping season.

The Target data breach serves as a perfect example that an entities cybersecurity, like many things in life, is only as strong as its weakest link. The main vulnerability that led to the destructive nature of the attack was the lack of continuity and oversight between Target’s systems and that of their third-party providers. Although Target’s cybersecurity infrastructure was for the most part sound, attackers were able to ‘target’ third-party providers which weren’t equipped with the same defenses. The attackers used malicious malware, which they first installed on a small number third-party point-of-sale (POS) terminals between November 15th and November 28th, which culminated in the vast majority of Target’s POS systems being infected by November 30th. 

Along with attacking POS terminals, the attackers were able to gain access to Target’s servers by using stolen credentials from an HVAC and refrigeration company, Fazio Mechanical Services. The company was contracted by Target for refrigeration services and had remote access to Target’s network for electronic billing, submitting contracts, and project management. Once the attackers had access to the network, they began installing malware which was intended to move the data which had been stolen through Target’s network and the firewall. The malware was first installed on November 30th with two subsequent updates, the last occurring on December 2nd. There was also a third type of malware that was installed on intermediate servers that has been presumed to been used for storing the stolen data until it could be fully extracted. Each occurrence of the malware being installed or updated triggered Target’s FireEye malware intrusion detection system to send out urgent alerts, however the company’s security team never responded to these alerts which will be discussed in further detail.

Over the course of the data breach, attackers were able to steal over 40 million credit and debit card records as well as over 70 million customer records. At the time this was one of the largest breaches and cyber attacks in history, although in the ten years since we’ve seen breaches far surpass these numbers. Following many investigations and litigation, Target was ordered to pay a $18.5 million settlement, however the full repercussions stretch further than just the cost of the settlement. The Target data breach came shortly after other notable breaches which had consumers wary of their personal information being stolen and exploited. It was reported that Target earnings fell over 46% following the attack due to the fact consumers were wary of shopping there and the fact that Target’s public image took a major blow. It has been estimated that the total loss was in excess of $200 million, far surpassing the $18.5 million settlement.

Target did react somewhat quickly in reporting the incident to the public, which came 20 days after the attacks concluded but only 4 days after Target officials were made aware of them. Although their crisis management response was notable, the crisis may have been avoidable in the first place. As stated earlier, each time the attackers installed or updated malware on the company’s network an urgent alert was triggered by the malware intrusion detection system. It has been reported that Target’s security team neither reacted to these alerts nor allowed the software to automatically delete the malware as it had been designed to do. Target’s Symantec antivirus software had also detected malicious activity around the same time and on the same server flagged for malware, however these alerts also went unnoticed or ignored. 

When looking at Target’s security team specifically, it’s hard to say what prompted them to take zero action to the urgent alerts received by the antivirus and malware detection software. It seems that Target had implemented sufficient cybersecurity measures, but they were ignored by the people the company had put in place for incidents such as this. Maybe there was a lack of training or oversight, but that would be purely speculation. Along with bolstering their security team the company could have put something in place to streamline the oversight and continuity between their network and those of their third-party providers. The breach occurred due to attackers being able to access credentials of Target’s vendors, however the damage could have been limited if the company’s security team acted in an appropriate manner.

References

Krebs, B. (Feb. 2014). Target Hackers Broke in Via HVAC Company. KrebsOnSecurity. (http:// krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/)

Harris,E., Perlroth,N., Popper,N., and Stout,H. (Jan. 2014). A Sneaky Path Into Target Customers’ Wallets. New York Times. (http://www.nytimes.com/2014/01/18/business/a- sneaky-path-into-target-customers-wallets.html)

Jarvis, K., Milletary, J. (Jan. 2014). Inside a Targeted Point-of-Sale Data Breach. Dell SecureWorks. (http://krebsonsecurity.com/wp-content/uploads/2014/01/Inside-a-Targeted- Point-of-Sale-Data-Breach.pdf)

Riley, M., Elgin,B., Lawrence, D., and Matlack, C. (Mar. 2014). Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It. Bloomberg Businessweek. (http:// www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of- credit-card-data)

Leave a Reply

Your email address will not be published. Required fields are marked *