Data Security and the Target Breach

Introduction

Last December, Target announced a massive data breach involving millions of credit cards, email addresses, mailing addresses, phone numbers, and customer names. FTC is currently investigating the data breach.

Please see the video.

This is one of the largest retail security breaches in history, with current estimates indicating up to 110M customers affected, and massive effects on Target. As a result of the breach, Target’s Chief Information Officer has resigned, and their holiday profits declined 46% year over year.

A brief timeline of events is below. (source: http://op.bna.com/der.nsf/id/sbay-9hktrf/$File/Rockefeller%20report%20on%20Target%20breach.pdf):

target[1]

Data Security Failures and Opportunities for Target to stop the attack

The intruders got access to the Target’s network by getting access to Fazio Mechanical Services, an HVAC and refrigeration company. This firm had remote access to Target’s networks for specific purposes – electronic billing, contract submission and project management purposes. Similar to In the Matter of CardSystems, Target (1) did not use readily available security measures to limit access between computers on its network and between such computers and the Internet; and (2) failed to employ sufficient measures to detect unauthorized access to personal information or to conduct security investigations. This attack vector highlights the importance of ensuring that partner organizations that access a company’s data should follow the same security policies and procedures (as mentioned by the California Office of Privacy Protection’s recommendations under the security breach notice law). It is also evident that Target did not require partner organizations to follow security policies and procedures.

One report suggests that default account names were used to gain access to the Target network from Fazio’s network. Target could have set up policies and guidelines for the IT systems within the network to prevent the breach.

Target also did not segregate critical network and data infrastructure. Customer’s personal data, which is individually identifiable could have been kept isolated from vendor’s billing access systems. There doesn’t seem to be any classification of information based on sensitivity of data. This is one of the safeguards suggested by  California Office of Privacy Protection’s Recommended Practices under the Security Breach Notice law

Technological Measures Aren’t Enough

The California Office of Privacy Protection’s Recommended Practices under the Security Breach Notice law recommend to conduct periodic penetration tests and reviews to ensure privacy and security are preserved.  But in this case, Target repeatedly ignored warnings from various systems about the malware.  The FTC Statement on Data Security notes that businesses need to protect against well-known, common technology threats, target and be sure that they can back up any claims about data security. In Target’s case, they succeed on some fronts, yet completely fail in others. On the one hand, six months prior to the attack, Target had installed a malware detection tool FireEye that caught the intrusion and flagged Target’s security operations center. However, Target failed to act on these warnings, allowing the attackers to install malware and extract customer financial and personal information. It is apparent that although Target had taken technological measures for data security, they did not have adequate procedures, policies, or employee training in place to address potential alerts.

Data retention is one area where Target appears to have done relatively well, as the financial information leaked was limited to “only” a few weeks’ worth of credit card usage (estimated 70M individuals as per latest reports). Had financial information been stored for a longer duration, the damage may have been even greater.

Subsequent Legislation and FTC Investigation

Target’s first notification to consumers occurred when they publicly admitted to the breach on December 19, 2013, only after a security researcher broke the news to the media first. Following the breach, along with other breaches like at Neiman Marcus, Senators Rockefeller, Pryor, Feinstein, and Nelson introduced legislation that creates tighter requirements for security implementations, customer notification, and increased FTC enforcement authority.

The FTC has announced that they are currently investigating the situation, and may ultimately find that Target behaved in an unfair or deceptive manner by not taking appropriate safeguards for their customers’ personal and financial information. The FTC may find Target to have failed to adequately “protect against well-known, common technology threats,” given the apparent lack of procedures for handling data breach alerts.

Sources and Further Reading

Business Week, Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It

http://www.businessweek.com/printer/articles/189573-missed-alarms-and-40-million-stolen-credit-card-numbers-how-target-blew-it

FTC, Prepared Statement on Data Breach  on the Rise http://www.ftc.gov/system/files/documents/public_statements/296011/140402datasecurity.pdf

Senate Committee on Commerce, Science and Transportation, A “Kill Chain” Analysis of the 2013 Target Data Breach http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=24d3c229-4f2f-405d-b8db-a3a67f183883

Diane Feinstein, Senators Introduce Bill to Protect Against Data Breaches http://www.feinstein.senate.gov/public/index.cfm/2014/1/senators-introduce-data-security-bill-to-protect-against-data-breaches

–  By Divya Menghani and Dan Tsai