In 2013, the infamous Target data breach swept through America, compromising a devastating number of point-of-sale systems and along with it, over 40 million credit and debit card numbers. Four years later in 2017, Target reached an 18.5-million dollar multistate settlement, requiring they employ an executive to oversee a comprehensive data security program. The company was also required to hire a third-party which will encrypt and protect card information, ensuring their data is secured and unreadable if accessed.
Target has since been adopting appropriate measures to keep their customers’ information safe – but it’s important to learn from where they went wrong. So what was Target lacking before? We’ve compiled a comprehensive autopsy: here's our case study, diagnosing several factors and components which led to Target’s massive security breach.
What exactly happened in the Target security breach?
According to Krebs on Security, who first reported the news, the breach involved the acquiring of customer information (encrypted PIN data, customer names, credit and debit card numbers, card expiration dates) stored in the magnetic stripe on the back of their payment cards. Undetectable malware was installed on a number of point-of-sale systems in a short amount of time, which indicates the software may have been installed via an automatic updating process. Since this breach, the U.S. has adopted EMV technology, which would have prevented hackers from acquiring information via the magnetic stripe (in other words, their malware would not have affected the chipcard). The perpetrators completed their attack by accessing one of Target’s third-party vendors, a refrigerator contractor, Fazio Mechanical. The vendor accessing Target’s systems was not using adequate anti-malware software, and their lack of segregation between networks led to the compromise of millions of customers’ information.
We can conclude a few things from this:
- Target’s systems were not protected and thus were vulnerable to phishing attacks
- Networks were not adequately segregated
- Several previous warnings were overlooked
What’s interesting to consider about the Target security breach is the fact that Target passed PCI compliance audits prior to the breach and had implemented security methods required by the PCI Security Council.
In a case study on the Target data breach, the SANS Institute Reading Room reacted with this statement, “A comprehensive approach to security will consider all assets, not just those that fall under compliance regulations. Each asset has a specific set of threats and vulnerabilities that can be considered as part of a risk management program, rather than simply implementing what is mandated for a subset of assets. As demonstrated in this breach, many different assets were used to move throughout the network, so consideration of the POS systems alone would not address the root causes that led up to this attack.”
What Target did wrong
How a company responds to a malware infection makes a considerable difference in how an attack may impact their customers and business. The Initial response is crucial to the minimizing of a malware attack, and is also one of the areas where Target underperformed.
Target missed several internal alerts, and only discovered their breach when contacted by the Department of Justice. Their monitoring software (FireEye) alerted Target staff in Bangalore, India, who in turn notified staff in Minneapolis: but no action was taken.
Despite the fact that Target reportedly spent a large sum on security technology utilizing encryption, their data was accessed in memory where it was unencrypted.
Damages to the company
While the effects of the breach are everlasting on Target’s security approach, the company faced major losses at the time of occurrence, setting them back greatly during the holiday season. After profits dropped 46 percent during Q4 of 2013, customer visits plunged during the new year, prolonging Target’s losses. High-ranking employees, including Target’s CEO, lost their jobs, and over 140 lawsuits were filed in three years. The Huffington Post estimates the breach had cost $252 million before the lawsuit, including the costs for banks to reissue 21.8 million cards.
How the data breach could have been prevented
A multi-layered security strategy would have prevented, if not at least mitigated the detrimental effects of this breach on Target and its customers.
Focusing on all vulnerabilities
Target’s strategy focused mainly on PCI compliance, while there are sometimes risks that fall outside of the scope of PCI requirements. Standards may also inform adversaries which security measures a business has implemented, so the attacker will capitalize on vulnerabilities not on the PCI compliance checklist.
Implementing tokenization
As also stated by the SANS Reading Room, “For encryption to be effective, you must employ an in-depth defense strategy in which you also protect the key and protect access to systems where the data needs to be unencrypted in order to be processed.”
In the instance of the Target breach, tokenization would have played a crucial role in protecting consumer information. Rather than relying on basic encryption methods, the customer information would have been replaced with unique, irreversible tokens – unable to be accessed and decoded by hackers.
Adapting EMV technology
As mentioned before, an EMV terminal accepting chip cards could have also prevented the theft of information via the magnetic strip on the back of cards. CardConnect’s CardPointe and Bolt P2PE terminals protect in-store transactions as all sensitive data is instantly encrypted and tokenized upon entry. The terminal accepts both cards with magnetic strips and EMV chips, utilizing PCI-validated point-to-point encryption (P2PE) for each individual transaction. All transactions captured with the CardPointe and Bolt P2PE terminals are captured in the powerful transaction management portal, CardPointe, in real-time, making it easy to accept and manage transactions. What’s also really important is that CardPointe also keeps its users apprised of the status of their business’s level of PCI compliance.
The final lesson of the Target data breach
It’s important for merchants to understand that the range of security threats can be wider than standard PCI compliance. Monitoring networks and being attentive to disruptive or unusual patterns in a system’s network is crucial to protecting their systems – and in turn, customer data. Target is just one of many companies to have faced a major data breach. Make sure your company or business is protecting your customers the best they can.
If you’d like to discuss how our security solutions can protect your business and customers, fill out the brief form below and our team will connect with you.