Target Hack Lessons Learned

Target Hack 9 Month Review

It’s been almost a year since the landmark Target hack was initiated. Target’s damage control of this major crisis has been effective, but very costly, which is a warning to other enterprises that might likely face similar retail data challenges.

The Event

The data breach during the holiday season of 2013 exposed 40 million customer debit and credit card accounts, a problem of massive proportions for the national retailer. Based on the results of the independent Verizon investigation, virtually nothing was in place to stop attackers from gaining complete access to every single cash register in every Target store. If that seems scary, it absolutely is. That statement alone should be enough to give chills to retail CEOs and major stockholders as well.

Verizon did a detailed study and what they found was alarming. Security consultants were able to communicate with point-of-sale registers from the core network. In one instance, they were able to communicate directly with cash registers in checkout lanes at one store after hacking a deli meat scale located at a different store. Once pentesters gained access there were no limits of where they could travel throughout the system.

The theory of how the hackers initially gained entry, is presented on several reputable sites is typical of a malware style; hack – one entry point and infiltrate many recipients. The theory proposed, (target will not confirm r deny) is that a small HVAC firm in Pennsylvania that worked with Target had first suffered its own email malware breach. In that intrusion, the thieves then discovered the virtual private network credentials the firm used to remotely connect to Target’s network. For them, it was a big payday. Target hackers used that initial legitimate hook, provided by the HVAC vendor, to push their malicious software down to all of the cash registers at more than 1,800 stores nationwide.

Business After-Effect

Ultimately it was a security blogger broke the news suggesting Target was hiding the bad news from customers after executives reported the breach to the DOJ. After, the company discreetly hired a forensic investigator. The quiet approach in this case didn’t work. It was seen that Target had failed to act on warning signs that a major breach was imminent.  Target’s profits dropped almost 50 percent from the same time the previous year and customers lashed out at the company’s customer service hotline’s busy signal.

To help foster some goodwill, Target announced a 10 percent discount the weekend before Christmas and offered free credit monitoring for affected customers. They rebuilt better security systems to identify risks and performed training for employees on information security measures. This was needed because the password creation was extremely weak i.e. about 20% of passwords started with a capital letter and ended with a number and 16% of the passwords ended with a single number.

After the smoke cleared, Target’s CEO and CIO resigned a few months after the attack.

Take Away

At Pace Morgan Executive Search we speak with CIO and CISO leaders regularly about security strategy and team building. The clients we work use our firm fill roles from analyst through Chief Information Security officer. Over the last 3 months we conducted a survey of IT leadership and an overwhelming 100% agree;

open quote_sml Make people and process investments in cybersecurity teams BEFORE you get attacked. The impact of a cybersecurity intrusion can start from a very small unsuspected location and manifest itself like a cancer company wide is short order.

Having a systematic and defined procedural information security systems will limit the access points a cyber criminal can use to punch through your perimeter. And if they were to make it through a strong defense perimeter, monitoring systems and strong password controls can stop them soon after entry and before they infiltrate your entire organization. Yes, there is an expense associated to staff and related software and hardware, but the total cost is far less than having your organization get turned upside down and earning the dubious honor of multiple class action lawsuits.