Target Corporation Data Breach occurred in December, 2013. Attackers breached Target Corporation and retrieved an estimated 70 million pieces of personally identifiable information. The identity of the attackers remains unknown. The tactics, techniques, and procedures of the attackers were fairly generic, resulting in their activity being difficult to trace and identify. The tools they may have used were not necessarily malicious and rather seem to have been generic IT tools.
Attackers used stolen HVAC credentials, most likely though the use of a simple phishing scam, to gain initial access into the system. After making their way into web services via these credentials, malware was applied onto Target’s servers based in Massachusetts. The malware then simply implemented an SMB protocol to periodically retrieve pertinent data from the network.
While headlines at the time of the event made the situation look dire, the overall loss or impact to Target was very minimal from a long term point of view. Target actually reported increased revenue for the year of 2013, while reporting a 34.3% reduction in profit for the year. Stock prices initially dropped 10% after the leak, but recovered within two months to regular levels. Investors for the time being appear to have taken the stance that major outlets are universally prone to having private data successfully breached, which explains the Target Corporation's steadfastness.
Following these leaks, the Target Corporation was subject to two class action lawsuits, settled for 10 million and 18.5 million dollars US respectively. These numbers are trivial when compared to company’s current 69.5 billion annual revenue and over 20 billion dollars in gross profit.
In response to another American department store chain data leak, a data leak from J. C. Penney Company Inc., the Target Corporation and other retailers alike universally invested in better security measures. This increased investment didn’t appear to serve as a successful deterrent against Target being compromised. This seems to indicate that, while investment is necessary, it will be some time before security standards are able to successfully withstand the constantly mounting threat that exists.
Organizations can certainly learn from Target’s experience, starting with a few recommendations based on what experts have been able to gather from their breach. Firstly, organizations need to be fully invested in PCI-Compliance, not only to meet mandatory standards, but to stay well ahead of them; investing in PCI-compliance will directly reduce the risk of debit and credit card loss. Secondly, ensuring chip readers are enabled at all cash registers in all locations is crucial. This relatively modern security standard effectively renders malicious and widespread RFID scanners useless. Thirdly, programs running in our point-of-sale systems should be authorized only by a strict whitelist, thus disabling any potential malicious software. Fourthly, organizations need to eliminate any excessive reliance it has on outbound communications for C&C channels. While organizations could implement more efforts to monitor these communications, these actions would likely be futile, as was demonstrated in Target’s case. Distributing data, communications, and traffic across a larger number of smaller subsystems will likely cut an organization’s losses in the event of an attack. As our final recommendation, organizations should be willing to participate in information sharing agencies as a countermeasure against threats as they arise.
Common Vulnerabilities and Exposures, commonly known as CVEs, are recorded information and security issues that aim to create an easily accessible list of security threats for professionals. It's sponsored by the United States Department of Homeland Security, with the intent of beign readily available for security administrators who need information about specific security threats.
Assembling all of this information into one, trustworthy, organized place does a tremendous service to security experts, making the task of solving most security issues much less burdensome. CVE defines a vulnerability as "a mistake in software code that provides an attack with direct access to a system or network." Vulnerabilities create the possibility for an attacker to illegitimately gain access to a given system. Successful implementation of these vulnerabilities could result in damaged equipment, unwanted access privileges, or tampered data. The potential implications of this, depending on the targeted system, include damaged customer trust, financial loss, even loss of life.