The Target Corporation Cyber Attack
Details, Timeline and Costs of the Target Data Breach
Target's 2013 holiday data breach and cyber attack
Who was attacked?
In what seems like the stone that sent the retail cybersecurity wall crashing down, Target announced a major data breach following the 2013 holiday shopping season. At a time when more customers were in the store than any other time of year, cyber criminals gained access to the retailer's network and began syphoning credit card data off of the system. Because of the manner in which the hackers gained access, their activity went undetected for almost a month.
What happened during the attack?
Over 100 million individuals were exposed in the attack. Target reported that the information compromised in the attack included mailing addresses, names, email address, phone numbers, and credit and debit card account data. According to the retailer, not all records compromised contained all those types of data; the most valuable data to these cyber hackers was credit and debt account numbers. They stole this data. Law-enforcement officials also noted that names, phone numbers, and email addresses were stolen too; this added information provided cyber criminals with the information required to hack other consumer accounts or launch phishing schemes. Further, the credit card data breached in the attack included account numbers, CVV security codes, and expiration dates. Could it have been a worse case scenario for Target?
Where did the cyber criminals go?
Like the IRS breach, the hackers in the Target attack used legitimate credentials to initially enter the system. They began with stolen credentials from an HVAC company that acts as a contractor to several Target locations. From that entry point, the hackers were able to exploit a previously unknown flaw in what was then traditional retailer point-of-sale encryption. Payment Card Industry data requirements do mandate that any organization gathering credit and debit card information for the purpose of charging the card encrypt that information according to a sophisticated set of security rules. The cyber hackers, however, got into the system at a point in the process that let them scrape the data prior to some of the encryption processes.
Investigations into the breach indicate that Target was made aware of the breach by its cybersecurity service. According to reports, the retailer had time to act to stop the theft of data, but it failed to act in a timely manner to prevent the theft. Because of Target's slow movement on the issue, it is facing dozens of lawsuits and up to $3.6 billion in fines. In the early summer of 2015, Target attempted to settle the lawsuits with $10,000 for each account holder impacted by the breach, but that settlement was held up in court at the time.
Takeaways from the Target breach and following actions include:
· A lesson on paying attention to security reports and warnings from security services that you employ.
· The knowledge that security services currently on the market are able to identify or stop risks.
· The fact that the cost of data breaches can be billions and plague corporations for years.
What could Target have done better? Corporate disclosure. As a public company, the Board has a fiduciary, and moral, obligation to disclose hacks faster. If you’re a public shareholder, don’t buy a company’s stock until you know their privacy policies. Ask whether the company is as pro-active about protecting their end consumer as they are in making money? The corporations of today have an obligation to defend and protect every consumer.
Yes, within reason, but these material breaches must be prevented ahead of time at all costs, and disclosed when they’re not. Even working with a top company like FireEye, Target still missed the warning signs. However, we believe that Target was too concerned about losing shoppers in the busiest time of year. Shouldn’t they have worried about losing millions more customers in the future?
Timeline and Speech on the Target Attack by cybersecurity expert:
In 2013, at the height of the holiday shopping season, Target, which generates most of the revenue in the holiday season, was attacked. Now that we've realized and analyzed it through our book, "Cyber Nation," what happened with the Target attack. What we believe is that there was a HVAC company which was responsible with heating and air conditioning for many retail stores of Target that their company was attacked and that through their computer access, they were able to then remotely control some of Target's retail operations in some of their units. They were collecting data. In this over 100 million people who had ever shopped at Target. Their personal private credit card information, first name, last name were stolen vis-a-vis this HVAC contract.
Now, this is the ultimate level of sophistication that not only you didn't attack Target directly because that would have been harder perhaps. They were working with FireEye, I believe before that. Maybe the cyber attackers thought it would be too difficult, so they bypassed traditional hacking methods. If you're a company whether you're a Fortune 500 or a small company in America, you have to realize that it's not necessarily just you, yourself, and your servers, and your network. It's sometimes people that have access to it, so hacking can be done through a third party. But it's a devastating attack and Target is just one example of many in our book, "Cyber Nation," where may be they had a little defense and some cyber protection, but they didn't think that there are other ways to enter the sort of trojan horse, so to speak, to get into through into their network.
Attacking Target cost them hundreds if not billions of dollars. Not just in brand name, goodwill, reputation, but it definitely took them six months to a year before the next holiday season, which again is their biggest time. But I don't think they've fully recovered. I think they're still a lot of security that Target needs to implement. Look at the biggest retailer of all, arguably that's Amazon. But Walmart is a brick and mortar retail with hundreds of billions of dollars in worldwide revenue. This signals that Target, in fact, signals that every company whether you're a brick and mortar or whether you're online that your consumer data is important and that it's time to start protecting it with the right cyber defenses. Oftentimes, I see companies acting after the fact (ex post facto) and not proactively.
In "Cyber Nation," I say it's time to spend at least 10% of your budget every year. As a chief information officer, you have to spend 10%, at least, if not more to protect your company. I think this is a wake up call for CIOs, chief information officers for computer network security, Oracle system administrators to Cisco. I mean, think about your security in your network and as an example of what companies can do is to hire people to hack your system. Hire white hackers who infiltrate your network and tell you where you and make you honest. Make you realize the things you need to invest in to protect your consumers for the whole purpose behind the American capitalist system. It's a wake up call and I'm hoping that Target is not that other companies don't fall victim the way they did.
Want to learn more about cybersecurity companies?
And How to Prevent these Cyber Attacks?