The 2013 hack that affected up to 110 million Target customers stunned shoppers who thought their information was safe with major retailers. In the following months, a great deal of information came out about the attack. Each new revelation has only served to underscore how vulnerable personal data is in a world of computer savvy cyber hackers.
The Initial Attack
In the immediate aftermath of the Target security breach during the 2013 holiday season, the retailer leapt swiftly into action to assure customers that it was safe to return to the store. Target’s first announcement about the attack indicates that the incidents took place from Nov. 27 to Dec. 6. Shortly after, they amended this statement, saying that shoppers who purchased items at Target stores between Nov. 27 and Dec. 15 were at risk.
This initial mistake was only the beginning of what would become a PR disaster as more information came out. While Target has since taken many measures to assure customers that they’re safe and to assist those who were affected, the debacle is going to create a long-term stain on the company’s otherwise impressive security record.
The Russian Virus
In mid-January, the government released a memo indicating that the attack against Target Corp was linked to a Russian computer virus. The virus is known as KARTOKHA, which translates to “potato” in Russian. The virus was available on the hacker black market for several months before the attack.
The memo noted that anti-virus software could not detect this particular virus. The malware executed its attack in two stages. It infected payment devices first, directing them to copy the data contained in the magnetic strip on debit and credit cards. After the virus collected the information, it executed the second part of the attack, which was to transmit the data back to the cybercriminals. The virus operated only between the hours of 10am and 5pm, targeting the stores’ busiest times.
The Infected HVAC Vendor
In early February, consumers learned how the malware got into Target’s system. HVAC vendor Fazio Mechanical Services unwittingly provided the cyber criminals with the information needed to get into Target’s system. The virus used forged credentials that matched those of Fazio. While this new piece of information helps fit a new piece into the puzzle, it also raises new and concerning questions.
The systems that the HVAC vendor has access to should have remained completely separate and secure. Yet the hackers gained entry to the system with HVAC credentials and managed to worm their way into the payment system. Fazio contends that their only communications with Target Corp were related to billing and contract proposals.
If this is true, then a dangerous flaw in Target’s systems gave the hackers access to secure payment information from this seemingly innocent entry point. The first mistake on Target’s part was keeping all its data on the same network. While this weakens a company’s security system, it isn’t a fatal flaw. Keeping all systems on a single network is the cheapest and most efficient way for a company to operate. Despite the unified network, Target should have kept all the individual systems on the network completely separate, which clearly did not happen.
The Phishing Email
Working backwards, the next question is how Fazio Mechanical Services fell victim to the hackers. It appears that the attack began as a phishing email. Phishing emails take on the appearance of an authentic email request from a trusted source. These emails ask for personal information such as passwords and credit card details. The email may also contain a link to a malicious web page.
If the recipient either clicks the link or responds with his or her personal data, the cyber criminals will have everything they need to execute an attack. Phishing emails are typically sent en masse, so it is unlikely that Fazio was the only vendor targeted. In fact, Target Corp may not have been the chosen victim until the phishing email successfully returned sensitive data providing access to the store, making it a prime choice for stealing information from holiday shoppers.
While the employee’s lax attitude toward the suspicious email was the main weakness in this situation, the problem was exacerbated by the fact that Fazio was using only the free version of an anti-malware program to protect its computers. The software was not licensed for business use and did not provide real-time threat monitoring.
The Corporate Fallout
In March, the fallout from the holiday scandal finally hit Target’s corporate office in a measurable way. Beth Jacob, the company’s chief information officer, stepped down from her position. The company announced that it will seek a new CIO externally after carefully evaluating this role and its requirements. Target Corp is also hiring externally for a Chief Compliance Officer.
Damage Control for Customers
Target customers are left with a sour taste after this major security breach, but their financial health shouldn’t suffer any major consequences. Target is responsible for any fraudulent charges made as a result of this incident. Some estimates indicate that the company may have to pay out as much as $50 million.
Customers who shopped at Target stores between Nov. 27 and Dec. 15 can take advantage of a free credit monitoring service for the next year, as well as identity theft protection. These measures will help keep customers safe from any further threats. Consumers who are worried about the safety of their personal information should keep a close eye on bank and credit card accounts for fraudulent charges, and examine their credit reports for new cards opened fraudulently in their name.
Customers are also advised to ignore any emails that look like they’re coming from Target, lest they fall victim to phishing scams similar to the one that began this scandal.
Target’s holiday security breach received a lot of publicity, but it’s hardly the only situation of its kind. Niemen Marcus and Sally Beauty Supply have suffered similar hacks. What consumers should walk away with is a new understanding of the ever-present dangers, and a renewed diligence about watching for signs of fraudulent activity that may indicate identity theft.