It’s been almost four years since the infamous Black Friday data breach occurred at Target stores across the nation, compromising over 40 million credit and debit card numbers. Last month, Target reached an 18.5-million-dollar multistate settlement, requiring they employ an executive to oversee a comprehensive security program. The company is also required to hire a third-party which will encrypt and protect card information, ensuring their data is secured and unreadable if accessed.
Target is now adopting appropriate measures to keep their customer’s information safe – but what was lacking before? We’ve compiled a comprehensive autopsy, diagnosing several factors and components which led to Target’s massive hack.
According to Krebs on Security, who first reported the news of Target, the breach involved the acquiring of customer information stored in the magnetic strip on the back of their payment cards. Undetectable malware was installed on a number of point-of-sale systems in a short amount of time, which indicates the software may have been installed via an automatic updating process. The attackers completed their hack by accessing one of Target’s third party vendors, a refrigerator contractor, Fazio Mechanical. The vendor accessing Target’s systems was not using adequate anti-malware software, and their lack of segregation between networks led to the compromise of millions of customers’ information.
We can conclude a few things from this: Target’s systems were not protected but vulnerable to phishing attacks, networks were not adequately segregated, and several previous warnings were overlooked.
What’s interesting to consider about the Target breach is the fact that Target passed PCI compliance audits prior to the breach. Target had implemented security methods required by the PCI Security Council.
As told by the SANS Institute Reading Room, “A comprehensive approach to security will consider all assets, not just those that fall under compliance regulations. Each asset has a specific set of threats and vulnerabilities that can be considered as part of a risk management program, rather than simply implementing what is mandated for a subset of assets. As demonstrated in this breach, many different assets were used to move throughout the network, so consideration of the POS systems alone would not address the root causes that led up to this attack.”
As malware attacks are often unpredictable and randomized, there are few things a company can do to prevent a hack. How a company responds to a malware infection makes a considerable difference in how an attack impact their customers and business. Initial response is crucial to the minimizing of a malware attack, and is also one of the areas where Target underperformed.
Target missed several internal alerts, and only found out about their breach when contacted by the Department of Justice. Their monitoring software (FireEye) alerted Target staff in Bangalore, India, who in turn notified staff in Minneapolis: but no action was taken.
Despite the fact that Target reportedly spent a large sum on security technology utilizing encryption, their data was accessed in memory where it was unencrypted.
While Target remains affected by the results of the breach today, the company faced major losses at the time of occurrence, setting them back greatly during the holiday season. After profits dropped 46 percent during Q4 of 2013, customer visits plunged during the new year, prolonging Target’s losses. High ranking employees, including Target’s CEO, lost their jobs, and over 140 lawsuits were filed in three years. The Huffington Post estimates the breach has cost $252 million so far, including the costs for banks to reissue 21.8 million cards.
A multi-layered security strategy would have prevented, if not at least mitigated the detrimental effects of this breach on Target and its customers. Target’s strategy focused mainly on PCI compliance, while there are sometimes risks which fall outside of the scope of PCI requirements. Standards may also inform adversaries which security measures a business has implemented, so the attacker will capitalize on vulnerabilities not on the PCI compliance checklist.
As also stated by the SANS Reading Room, “For encryption to be effective, you must employ an in-depth defense strategy in which you also protect the key and protect access to systems where the data needs to be unencrypted in order to be processed.”
In the instance of the Target breach, tokenization would have played a crucial role in protecting consumer’s information. Rather than relying on basic encryption methods, the customer information would have been replaced with unique, irreversible tokens – unable to be accessed and decoded by hackers.
An EMV terminal accepting chip cards could have also prevented the theft of information via the magnetic strip on the back of cards. CardConnect’s CardPointe and Bolt Terminals protects in-store transactions as all sensitive data is instantly encrypted and tokenized upon entry. The terminal accepts both cards with magnetic strips and EMV chips, utilizing PCI-validated point-to-point encryption (P2PE) for each individual transaction. All transactions captured with the CardPointe and Bolt Terminals appear in the powerful transaction management portal, CardPointe, in real-time, making it easy to accept and manage payments while being away from the device. CardPointe also keeps its users apprised of the status of their business’s level of PCI compliance.
It’s important for merchants to understand that the range of security threats can be wider than standard PCI compliance. Monitoring networks and being attentive to disruptive or unusual patterns in a system’s network is crucial to protecting their systems – and in turn customer data. Target is just one of many companies to have faced a major data breach. Make sure your company or business is protecting your customers the best they can.
To learn more about the solutions you can use to protect your business and customer information, visit cardconnect.com/cardsecure.