It wasn’t just Santa on the move in December 2013.

Target in the US had just suffered a severe security breach that resulted in 40 million accounts being accessed and the credit and debit card details being appropriated by hackers. A month later they announced that the names, mailing addresses, phone numbers and email addresses of up to 70 million people were also stolen. They also stated “At this time, the Company is not able to estimate the costs, or a range of costs, related to the data breach.”

It was an indirect attack – the hackers focused on a broad range of retailers’ suppliers. Reported by cybersecurity expert Brian Krebs, sources say that credentials were stolen from Fazio Mechanical (a Pennsylvanian-based air conditioning and refrigeration company) . Two months before the subsequent data theft, a malware-injecting phishing attack sent to employees of the firm by email. This has been linked to the Citadel malware – a password stealing program related to the Zeus banking trojan.

Once the hackers had secured access to Fazio Mechanical, they were able to use their vendor credentials to gain access to Target’s network. Target self-manage the temperature and energy monitoring systems on their own network to ensure stores stay within an acceptable range – but provide vendors with access to this to fix bugs or apply patches to the system.

When inside the Target network, the hackers tested the malware for several weeks before the full scale roll out to most of Target’s POS devices. According to Reuters, the malware (known as Reedum) is a RAM scraper that seeks out Track 1 and Track 2 data stored on the magnetic strip of a credit or debit card, which together contain the cardholder’s name, account number, credit card number and expiry date. There are reports the breach also included the CCV data.

The captured information was then sent to servers in Europe, South America and the USA where it was picked up by the hackers. Their motivation? According to Andrey Komarov, CEO of US security start-up IntelCrawler, stolen credit card details can be sold in volume for $80 to $100 each. Multiple that by 40 million cards, and you quickly realise how big a business hacking is.

The Wall Street Journal, citing a confidential U.S. government report, reported that the hackers that went after Target spoke in Russian and the attacks were part of a broader effort. The U.S. government report, written with the help of iSight Partners, outlined the attack may have ties to organized crime in the former Soviet Union. It also pointed out that traditional antivirus software couldn’t detect it at the time.

Five months after the attack, Target’s chief executive and chairman Gregg Steinhafel stepped down. This followed the removal of Beth Jacobs, their chief information officer.

Target reported it had sustained $252 million in gross breach-related expenses since December 2013. The breach expenses were off-set by insurance claims, which netted the company $46 million in fiscal 2014 and $44 million in fiscal 2013, for a total of $90 million. Overall, Target’s net breach costs stand at $162 million.

 

So what have we learnt?

There are five obvious learnings from this attack:

  1. The Target attack has shown that business and IT need to be joined at the hip. If your systems crash, your business stops. If your security isn’t up to scratch, you are potentially putting a lot of people (clients, suppliers, partners and yourself) in a position of unacceptable risk.
  2. Every organisation is becoming digital and leaders need to understand IT, and ensure it is tightly aligned to the business. Blaming IT won’t cut it anymore – Boards and Executives are now being held accountable.
  3. Traditional antivirus won’t defend you against new malware and viruses. At blueAPACHE, we use Palo Alto next generation firewalls connected to their WildFire service on our core. If you are still relying traditional antivirus, your risk levels are much higher.
  4. Limit access to your system. The promise of automation and streamlining processes might sound attractive, but if you can’t account for your partner’s security, you could be adding to your risk profile.
  5. If you can’t afford the resources and tools to adequately protect your business, outsource to people who can. Getting it wrong can be a costly exercise in more ways than one.

 

More information

Contact the blueAPACHE account management team to discuss your security status.