Skip to Contact an Expert Skip to Main Content
card-connect
card-connect
  • Level 1 menu, Item 1 of 5, Solutions
    Back
    Payment Acceptance
    • Sub Menu Item 1 of 7, Payment Processing

      Accept payments with CardPointe

    • Sub Menu Item 2 of 7, In-Store Payments

      POS powered payments 

    • Sub Menu Item 3 of 7, Online Payments

      Ecommerce solutions

    • Sub Menu Item 4 of 7, Payment Gateway

      CardPointe payment gateway integration

    • Sub Menu Item 5 of 7, Mobile Payments

      On-the-go payments

    • Sub Menu Item 6 of 7, Integrated Payments for Software

      Payment acceptance for existing software

    • Sub Menu Item 7 of 7, Virtual Terminal

      CardPointe's browser-based POS system

    Point-of-Sale(POS)
    • Sub Menu Item 1 of 6, Clover

      Customized hardware solutions 

    • Sub Menu Item 2 of 6, CardPointe Terminal

      Payment machines

    • Sub Menu Item 3 of 6, Value-add Solutions
    • Sub Menu Item 4 of 6, Integrations & Add-ons

      Integrated payment solutions

    • Sub Menu Item 5 of 6, Payment Security

      Data protection via CardSecure

    • Sub Menu Item 6 of 6, Transaction Management

      Tracking & reporting tools

  • Level 1 menu, Item 2 of 5, Who We Serve
    Back
    Sales Agent & ISOs
    • Sub Menu Item 1 of 6, CardConnect Partner Program

      Sell merchant services

    • Sub Menu Item 2 of 6, CoPilot

      Partner portfolio management

    • Sub Menu Item 3 of 6, Merchants
    • Sub Menu Item 4 of 6, Merchant Payment Acceptance

      Accept credit card payments

    • Sub Menu Item 5 of 6, Software Providers & ISVs
    • Sub Menu Item 6 of 6, Fiserv

      Credit card payments integration

    Conectados – English
    • Sub Menu Item 1 of 5, Conectados

      Hispanic-focused selling program

    • Sub Menu Item 2 of 5, Conectados Signup
    • Sub Menu Item 3 of 5, Conectados – Spanish
    • Sub Menu Item 4 of 5, Conectados

      Programa de ventas enfocado en hispanos

    • Sub Menu Item 5 of 5, Conectados Inscribirse
  • Level 1 menu, Item 3 of 5, Resources
    Back
    Professional Tools & Learning
    • Sub Menu Item 1 of 3, Partner Portal

      Knowledge center for current partners 

    • Sub Menu Item 2 of 3, Developer Documentation

      Integration support

    • Sub Menu Item 3 of 3, LaunchPointe

      Blog resources for payments tips

  • Level 1 menu, Item 4 of 5, About Us
  • Level 1 menu, Item 5 of 5, Log in
    Back
    • Sub Menu Item 1 of 3, CardPointe
    • Sub Menu Item 2 of 3, CoPilot
    • Sub Menu Item 3 of 3, BluePay
Contact Us

Case Study: What We've Learned from the Target Data Breach of 2013

May 19, 2023

What We Learned from Target's Data Breach 2013 | CardConnect

In 2013, the infamous Target data breach swept through America, compromising a devastating number of point-of-sale systems and along with it, over 40 million credit and debit card numbers. Four years later in 2017, Target reached an 18.5-million dollar multistate settlement, requiring they employ an executive to oversee a comprehensive data security program. The company was also required to hire a third-party which will encrypt and protect card information, ensuring their data is secured and unreadable if accessed.

Target has since been adopting appropriate measures to keep their customers’ information safe – but it’s important to learn from where they went wrong. So what was Target lacking before? We’ve compiled a comprehensive autopsy: here's our case study, diagnosing several factors and components which led to Target’s massive security breach.

What exactly happened in the Target security breach?

According to Krebs on Security, who first reported the news, the breach involved the acquiring of customer information (encrypted PIN data, customer names, credit and debit card numbers, card expiration dates) stored in the magnetic stripe on the back of their payment cards. Undetectable malware was installed on a number of point-of-sale systems in a short amount of time, which indicates the software may have been installed via an automatic updating process. Since this breach, the U.S. has adopted EMV technology, which would have prevented hackers from acquiring information via the magnetic stripe (in other words, their malware would not have affected the chipcard). The perpetrators completed their attack by accessing one of Target’s third-party vendors, a refrigerator contractor, Fazio Mechanical. The vendor accessing Target’s systems was not using adequate anti-malware software, and their lack of segregation between networks led to the compromise of millions of customers’ information.

We can conclude a few things from this:

  • Target’s systems were not protected and thus were vulnerable to phishing attacks
  • Networks were not adequately segregated
  • Several previous warnings were overlooked

What’s interesting to consider about the Target security breach is the fact that Target passed PCI compliance audits prior to the breach and had implemented security methods required by the PCI Security Council.

In a case study on the Target data breach, the SANS Institute Reading Room reacted with this statement, “A comprehensive approach to security will consider all assets, not just those that fall under compliance regulations. Each asset has a specific set of threats and vulnerabilities that can be considered as part of a risk management program, rather than simply implementing what is mandated for a subset of assets. As demonstrated in this breach, many different assets were used to move throughout the network, so consideration of the POS systems alone would not address the root causes that led up to this attack.”

What Target did wrong

How a company responds to a malware infection makes a considerable difference in how an attack may impact their customers and business. The Initial response is crucial to the minimizing of a malware attack, and is also one of the areas where Target underperformed.

Target missed several internal alerts, and only discovered their breach when contacted by the Department of Justice. Their monitoring software (FireEye) alerted Target staff in Bangalore, India, who in turn notified staff in Minneapolis: but no action was taken.

Despite the fact that Target reportedly spent a large sum on security technology utilizing encryption, their data was accessed in memory where it was unencrypted.

Damages to the company

While the effects of the breach are everlasting on Target’s security approach, the company faced major losses at the time of occurrence, setting them back greatly during the holiday season. After profits dropped 46 percent during Q4 of 2013, customer visits plunged during the new year, prolonging Target’s losses. High-ranking employees, including Target’s CEO, lost their jobs, and over 140 lawsuits were filed in three years. The Huffington Post estimates the breach had cost $252 million before the lawsuit, including the costs for banks to reissue 21.8 million cards.

How the data breach could have been prevented

A multi-layered security strategy would have prevented, if not at least mitigated the detrimental effects of this breach on Target and its customers.

Focusing on all vulnerabilities

Target’s strategy focused mainly on PCI compliance, while there are sometimes risks that fall outside of the scope of PCI requirements. Standards may also inform adversaries which security measures a business has implemented, so the attacker will capitalize on vulnerabilities not on the PCI compliance checklist.

Implementing tokenization

As also stated by the SANS Reading Room, “For encryption to be effective, you must employ an in-depth defense strategy in which you also protect the key and protect access to systems where the data needs to be unencrypted in order to be processed.”

In the instance of the Target breach, tokenization would have played a crucial role in protecting consumer information. Rather than relying on basic encryption methods, the customer information would have been replaced with unique, irreversible tokens – unable to be accessed and decoded by hackers.

Adapting EMV technology

As mentioned before, an EMV terminal accepting chip cards could have also prevented the theft of information via the magnetic strip on the back of cards. CardConnect’s CardPointe and Bolt P2PE terminals protect in-store transactions as all sensitive data is instantly encrypted and tokenized upon entry. The terminal accepts both cards with magnetic strips and EMV chips, utilizing PCI-validated point-to-point encryption (P2PE) for each individual transaction. All transactions captured with the CardPointe and Bolt P2PE terminals are captured in the powerful transaction management portal, CardPointe, in real-time, making it easy to accept and manage transactions. What’s also really important is that CardPointe also keeps its users apprised of the status of their business’s level of PCI compliance.

The final lesson of the Target data breach

It’s important for merchants to understand that the range of security threats can be wider than standard PCI compliance. Monitoring networks and being attentive to disruptive or unusual patterns in a system’s network is crucial to protecting their systems – and in turn, customer data. Target is just one of many companies to have faced a major data breach. Make sure your company or business is protecting your customers the best they can.

If you’d like to discuss how our security solutions can protect your business and customers, fill out the brief form below and our team will connect with you.

Contact Us

Your success in payments starts here! Please select your partnership type below so we can connect. 

Agent/ISO Partnership Merchant Partnership ISV Partner? Please visit our dedicated site for ISV Partners.
  • Privacy Policy
  • About Us
  • Contact Us
  • Sitemap

Solutions

  • CoPilot Portfolio Management
  • CardPointe Payment Processing
  • In-Store/Online Payments
  • Mobile Payments
  • Virtual Terminal
  • Payments Gateway
  • Integrated Payments for Software

Resources

  • Partner Portal
  • Developer Documentation
  • LaunchPointe

Who We Serve

  • Sales Agents & ISOs
  • Software Providers & ISVs
  • Conectados
  • Merchants

card-connect-logo

 

© 2025 CardConnect

CardConnect is a registered ISO of Wells Fargo Bank, N.A., Concord, CA, PNC Bank, N.A., Pittsburgh, PA and Pathward, N.A., Sioux Falls, SD. 

All rights reserved.

Site Selector