A great deal of detailed information has surfaced regarding the infamous Target data security breach that affected the credit and debit card information of over 40 million Target shoppers over the holiday season. This breach was announced by Target on December 19th, 2013. Since that time, Target recently reported that its net profit for the critical 4th Quarter Holiday shopping season was down 46%, and that it had already incurred $61 Million in expenses related to the breach. The total cost of the breach is expected by some equities analysts to top $1 Billion dollars. If Target is found to have violated Payment Card Industry standards (PCI), they could be subject to huge fines related to this breach.
It has been reported that the source of the Target intrusion was stolen access credentials to a vendor portal that had been issued to a PA based HVAC contractor. Apparently, vendors that provide services to Target use an external vendor management portal named Ariba to submit invoices and receive payment from Target. It is thought that the attackers somehow gained access to the administrative portal to the vendor system which allowed them to gain access to Target’s internal network.
The credentials to access the vendor portal were stolen from the HVAC contractor through an email malware infection known as “Citadel”. The contractor’s only line of defense in use was a free version of the “Malwarebytes” software, which is well known anti-malware software whose free version only works when a user runs a scan on the software. According to the KrebsOnSecurity blog, it is thought that the HVAC contractor and Target initially were not specifically targeted by the attackers. Normally the attackers cast a wide net during malware attacks, which involve sending mass emails which, when opened, download the malware to the email recipients computer. The attackers likely discovered the link to Target after stumbling across the Target portal credentials on one of the HVAC contractor computers. Once access was gained, the intruders were eventually able to distribute the malware to Targets POS registers. The malware sent the stolen data to a server in a Target data center (set up by intruders with stolen credentials) which served as a repository for the stolen data.
This incident sheds some light on the increased vulnerability to cyber-crime that companies are facing today. It is also particularly alarming to smaller companies, since this attack succeeded in damaging a huge retailer like Target, who have a staff of security professionals and large budgets to address these risks. Small companies do not have the resources of a Target, but looking back upon this incident it is ironic that the intrusion could have been prevented by simply using properly installed small business security software.
There are many lessons that can be learned from these events. The first is that your security defenses are no stronger than the weakest link in your chain. The second is that larger organizations need to insist on and obtain proof of adherence to security compliance standards for their vendors and business partners. Lastly, with the advantage of hindsight here, security audits and network penetration testing, while not cheap, are probably not something your company should consider skimping on (just ask Target!)