Target Corporation (Target) (www.target.com) is the second largest discount retailer in the United States, after Walmart. In late 2013, Target disclosed that it had been the victim of a massive data breach. The breach has been compared with the 2009 non-retail Heartland Payment Systems breach, which affected 130 million card holders, and with the 2007 retail TJX Companies breach, which affected 90 million card holders.

 

Let’s take a closer look at the attack. Just prior to Thanksgiving 2013, an unknown individual or group installed malware in Target’s security and payments system. The malware was designed to steal every credit card used at the company’s nearly 1,800 U.S. stores. Amazingly, Target was prepared for the attack. Six months prior to Thanksgiving, the company had installed a malware detection tool manufactured by the computer security firm FireEye (www.fireeye.com). In addition, Target had assembled a team of security specialists in Bangalore, India, to monitor its computers around the clock. If the team noticed anything suspicious, they would notify Target’s security operations center in Minneapolis. Around Thanksgiving, Target’s antivirus system, Symantec Endpoint Protection (www.symantec.com), identified suspicious behavior over several days. Target management ignored the system’s warnings. On November 30, 2013, the attackers loaded malware to transfer stolen credit card numbers—first to computers around the United States to cover their tracks and then into their computers in Russia. FireEye spotted the attackers and alerted Bangalore. In turn, Bangalore alerted the Target security team in Minneapolis. And … nothing happened. For some reason,

Minneapolis did not respond to the alert. Even worse, the Fire- Eye system includes an option to automatically delete malware as it is detected. Target’s security team had turned off the option.

 

On December 18, 2013, security expert Brian Krebs (see http://krebsonsecurity.com) broke the news that Target was investigating a major data breach. On December 19, Target confirmed the incident via a press release, revealing that the attack took place between November 27 and December 15. Eventually, Target acknowledged that attackers had stolen personal data from 110 million customers including customer names, addresses, phone numbers, e-mail addresses, credit and debit card numbers, card expiration dates, credit card security codes (also called card verification codes), and debit card PIN data. The attackers sent 11 gigabytes of data to a Moscow-based hosting service called vpsville.ru. A Target spokesman defended the company by arguing it has too many clients to monitor all of them effectively.

 

Investigators from the U.S. Secret Service, the agency leading the government’s investigation into the Target breach, visited the offices of Fazio Mechanical Services (www.faziomechanical.com), a refrigeration and HVAC (heating, ventilation, and air conditioning) systems provider. The investigators believe that Target’s attackers initially accessed the retailer’s network on November 15, 2013, using access credentials they had stolen from Fazio in a phishing attack. The attackers then used those credentials to access Target’s payment processing and point-of-sale (POS) systems. (It is important to note that as of early 2015, none of these points had been proved, and the investigation was ongoing.)

Fazio purportedly used a free version of an antivirus software product called Malwarebytes (www.malwarebytes.com) for protection. Significantly, this version is intended for consumer use only. Therefore, if Fazio had used this version, then the company would be in violation of Malwarebytes’s license. Further, the free version of Malwarebytes does not provide real-time scanning of files for malware, meaning that free antivirus software is not an industry best practice. Fazio responded that “our IT system and security measures are in full compliance with industry practices.” Fazio had access to Target’s network because Target relies on HVAC systems with IP addresses that can be remotely monitored and adjusted by Fazio to manage store environments.

(Note: This practice is standard for retailers, supermarkets, and similar businesses.)

 

Target’s system, like any standard corporate network, is segmented so that the most sensitive areas—including customer payments and personal data—are walled off from other parts of the network, particularly the Internet. Clearly, Target’s internal walls had holes. As a result, the attackers could proceed from the part of the network that its vendors could access to more sensitive parts of the network where customer data were located.

Questions involving the Target breach focused on the security processes in place at Fazio, as well as the controls in place at Target. Target is liable, per Payment Card Industry Data Security

Standards (PCI-DSS), for any of its third-party contractors’ security faults. Notably, PCI-DSS requires that merchants “incorporate two-factor authentication for remote access to the network by employees, administrators, and third parties.” However, one challenge when granting remote access to a third party (e.g., a contractor) is that multiple employees of that contractor may have access to those credentials. For example, a contractor may have many technicians who require access on a revolving basis.

 

Among the most pertinent questions regarding the Target attack are the following:

Did Target secure Fazio’s access to its network using two factor authentication?

What level of network access did Target grant to Fazio?

Was Target actively monitoring Fazio’s access?

Were Target’s HVAC appliances located on an isolated network segment that should have prevented attackers from accessing other network systems?

 

Target’s Response

Target encouraged customers who shopped at its U.S. stores (online orders were not affected) during the specified time frame to closely monitor their credit and debit cards for irregular activity. The retailer cooperated with law enforcement agencies to bring the responsible parties to justice. Gregg Steinhafel, Target’s CEO, apologized to the retailer’s customers in a press release. As a further apology to the public, all Target stores in the United States awarded retail shoppers a 10 percent storewide discount for the weekend of December 21–22, 2013. Finally, Target offered free credit monitoring via Experian to affected customers.