On December 13th, 2013, a blog devoted to IT security news broke a startling story — Target, one of the country’s largest big-box retailers, had been the victim of a security breach that exposed the credit card data of thousands of shoppers.
The attackers targeted the data stored in the magnetic strips of customers’ cards. The website reported that the window of time in which customers’ data was vulnerable seemed to be expanding at press time and that customers from throughout the entirety of the US had been affected. The next day, Target issued a statement, confirming the breach.
“Target today confirmed it is aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its U.S. stores,” Target’s press release read bluntly. Target customers across the country went into a panic. The breach couldn’t have come at a worse time; the window of vulnerability was during the year’s busiest shopping season.
Ultimately, 70 million Target shoppers would be affected by the breach. The attackers carried out the attack by installing malware into the retailer’s security and payment system. The malware was activated each time a cashier swiped a customer’s debit or credit card, with the information being stored on a server to which the hackers had gained access. Worse, the attackers also gained access to customers’ pin numbers, encrypted within the cards’ data.
Shoppers were surprised to discover that it was physical and not online purchases that put them at risk. However, this attack served as proof positive that all information that is stored on a server can be subject to an attack, and that all digital assets, including credit card processing devices, are at risk of an attack.
“[Everyone] speculated wildly about how this could have been done. And [everyone] focused on one point of attack – the POS system. There are standards retailers follow, set forth by the [payment industry] that are meant to keep data safe,” wrote Paula Rosenblum for Forbes. The POS system (an acronym for “point of sale;” as in, the cash register and card processing device as a single unit) may have seemed, to some, to be somehow removed from the scope of to what a hacker could gain access. However, it’s important to remember that all data stored digitally is susceptible to an attack.
The method that the hackers used would have been laughable had the situation not been so dire. The hackers didn’t write some complex script or carry out a devious midnight break-in as one might visualize after watching espionage films. The reality is, that in order to carry out the biggest attack in retail history, the hackers merely purchased commercially available POS system hacking software for a few thousand dollars from a website.
With the help of this software, the hackers gained entry to virtually all of Target’s servers, freely exploring their intricate online system of information. The attack was unnoticed for weeks before they stumbled upon the method in which they could easily collect customers’ card data.
Many wondered how Target’s firewalls and security software didn’t automatically detect the intrusion. The hackers, however, would not have been detectable to this software, as they gained access via port 80, which is left open for Internet traffic. To create an analogy, it would be as if intruders entered a well-guarded government building not by breaking in with guns drawn, but rather as simply dressing up as government employees and carrying fake badges. To Target’s IT team, their entry to the organization’s most private data appeared to be simply normal traffic flow. This demonstrated a serious need for improved cyber security measures.
What Companies Can Learn From Target's Mistakes
The average person – one who is not particularly technology industry-savvy – has quite the dramatized image of hackers and technology personnel in their mind. They picture hackers as brilliant computer scientists who simply pound away furiously at their keyboards, amazingly inventing convoluted strings of numbers and code that somehow unlock the door to a wealth of guarded data. They visualize IT security teams as being tantamount to the NASA control room: hundreds of business attire-clad experts vigilantly watching computer monitors displaying rapidly changing numbers and figures, yelling, “sir, we have a breach!” when something is out of the norm.
Anyone with even a basic understanding of IT security knows that the above description is one of imagination rather than reality. In reality, IT security teams are often under-funded and using dated security software and measures to cut costs. Or, oftentimes there isn’t so much an “IT security” team as there is just an IT team, struggling to keep up with an ever-changing digital landscape where yesterday’s solution provides no relief for today’s problem. As for the hackers, they aren’t sinister but brilliant masterminds. Oftentimes, they’re mere teenagers who bought attack software off of a black market Internet forum.
Target has never outright admitted culpability or a failure to take the appropriate measures to prevent an attack of this magnitude; this would, to put it simply, be lousy PR. However, the departure of their former CIO is suspect. Target, like so many other companies, adhered to the appropriate laws and regulations, such as the PCI Security Standards, but did nothing above the ordinary to prevent an attack.
What we can learn from the Target security breach, ultimately, is that “good enough” no longer works in the world of IT security. Companies have to be willing to adequately fund their IT security teams, as not doing so will almost always be far more costly and detrimental to their bottom line. Consistently updating software and investing in new security technology simply must be commonplace for any major organization.
Furthermore, companies need to employ security professionals who are experts in their field, rather than just leaving security to be an afterthought for the IT team to handle. Had Target employed true experts in the field of security, those experts would have been aware of the commercially available hacking software used in the attack and would have insisted on premeditative countermeasures. However, Target was completely unaware that this type of software existed or that it could put their customers’ sensitive data at risk.