University of Chicago
Type of paper: Thesis/Dissertation Chapter
Target Data Breach
Target a large retail corporation that operates over 1,700 stores across the United States. They also operate as an online retailer at target.com. In 2012 the retailer earned more than $73 billion dollars in revenue and grew their sales by 5.1% from the previous year. Looking at the revenue and sales growth rate it is hard to fathom that more money could not be spent to ensure that consumer data is protected as much as possible. As information security specialists one of the worst things that can happen is our network gets infiltrated and customer information is stolen. On December 19, 2013 Target released a statement stating that they have had an information security breach and suggested that as much as 70 million credit card information had been stolen.
Target Data Breach
Target a large retail corporation that operates over 1,700 stores across the United States. They also operate as an online retailer at target.com. In 2012 the retailer earned more than $73 billion dollars in revenue and grew their sales by 5.1% from the previous year (“Corporate overview,” 2013). Looking at the revenue and sales growth rate it is hard to fathom that more money could not be spent to ensure that consumer data is protected as much as possible. As information security specialists one of the worst things that can happen is our network gets infiltrated and customer information is stolen. On December 19, 2013 Target released a statement stating that they have had an information security breach and suggested that as much as 70 million credit card information had been stolen (Jarvis & Milletary, 2014).
After a thorough investigation by federal law enforcement it had been determined that hackers were able to infiltrate the network and place malware on several pieces of the companies Point of Sale (POS) systems. The attackers were meticulous and thought through their attack, attempting to cover their access and malicious software they were using. On November 30 2013, the attackers gained access to Targets network. The following day they deployed their card stealing malware onto the POS systems. On December 11 the attackers are first discovered and on the 15th of December they were removed from the network. December 19th Target acknowledge the breach to the public and details started coming to light on the sophistication of the attack (Jarvis & Milletary, 2014). After two months of investigating it was determined that Target had allowed their HVAC vendor access to their networks. This HVAC account that was created had been compromised and allowed hackers onto the Target’s network (Mlot, 2014). Once on the network the attackers made their way to change user accounts that were already on the system and gave them elevated privileges. Target utilizes BMC management software that creates and utilizes a Best1_user account to authenticate the management software to the network. This account when installed onto the system is not added to any groups and is locked down to only authenticate the BMC services necessary (“29 new clues,” 2014). Once on Target’s network with elevated privileges the attackers were able to launch malware to the POS systems that would capture the credit card information of the consumers as they swiped their cards to pay for their items. They launched a second piece of malware that that would take the captured information and move it to a dump server on the internal network. Once the information was on the dump server it them moved to a server that had access to the internet and eventually sent via FTP to a dropsite so the attackers could retrieve the information (Jarvis & Milletary, 2014). The attackers took the time to make sure to embed their malicious software inside files that were already being used on the target network. Masking and hiding their code allowed them to go undetected for several days. By the time they were discovered they had collected over 70 million consumers financial information and were selling the card information in batches (“29 new clues,” 2014).
Once Target realized the nature and magnitude of the breach they released a statement to its consumers stating there was a breach. It began taking a proactive and open approach to the details of the attack and how it happened. Most companies would want to keep this information quiet and not lose customer confidence. Target has been one of the few that has a dedicated website that discusses the breach and what they are doing so that it doesn’t happen again. Within the website they have a FAQ section for consumers to understand what happened in laymen’s terms. The executive vice president and CFO John Milligan has recently stated that Target will be implementing smart cards for their retail credit cards that include a PIN. This is one of the measures being taken so that if the card information is stolen it cannot be utilized without knowing the unique pin that is associated with the card (Mulligan, 2014). Target has offered free credit monitoring for its consumers as well as investing five million dollars in a cyber-security coalition that will educate people on internet scams and their dangers (“Target to invest,” 2014). Conclusion. While the damage to the Target network is done and will cost the company millions of dollars it is easy to say this breach could have been avoided. Even if it saved the company money to allow a third party HVAC Company on their network they missed the basic principal of keeping their vital POS information network separate from their facility network. It begs the question are the human resource files also on the same network as the HVAC and facilities controls? That could have easily led the employees of the company information to be at risk as well. It is after all best practice to keep our sensitive data separate from the rest of the network. Since smart-cards have been around for some time companies need to begin the investment into a more secure credit card system. Require PIN information every time a credit card is swiped. This will help ensure that even if a credit card is stolen that the attacker will not be able to access the information without the appropriate secret pin. Instead the small banks will lose money, they will sue Target. Target will have to pay millions of dollars to the banks and those prices will get passed on to the consumer. After all that is the American way.
29 new clues in the target breach. (2014, January 14). Retrieved from http://krebsonsecurity.com/tag/target-data-breach/
Corporate overview. (2013). Retrieved from http://investors.target.com/phoenix.zhtml?c=65828&p=irol-homeProfile
Jarvis, K., & Milletary, J. (2014, January 24). Inside a targeted point-of-sale data breach. Retrieved from http://krebsonsecurity.com/wp-content/uploads/2014/01/Inside-a-Targeted-Point-of-Sale-Data-Breach.pdf
Mlot, S. (2014, February 2). Hvac vendor confirms link to target data breach. Retrieved from http://www.pcmag.com/article2/0,2817,2430505,00.asp
Mulligan , J. (2014, February 4). time for smartcards. Retrieved from https://corporate.target.com/discover/article/time-for-smartcards
Target to invest $5 million in cybersecurity coalition. (2014, January 14). Retrieved from https://corporate.target.com/discover/article/Target-to-invest-5-million-in-cybersecurity-coalit