The largest retail breach in history happened at Target stores all over the country during the busy 2013 holiday shopping season, sparking 90+ lawsuits, a Congressional hearing, corporate restructuring and plummeting sales figures for the big-box retailer. But according to a report, it all could have been prevented – had the retail giant simply listened to its own internal early warning systems.
To recap, the retail giant saw 40 million credit card numbers – and 70 million addresses, phone numbers, and other pieces of personal information – stolen by a widespread point-of-sale (PoS) hack during the busy holiday shopping season, with credit card info and other personal details lifted by the BlackPOS malware that was somehow uploaded from a central server to card-swiping terminals across the nation.
Target confirmed that the server itself was compromised by a third party using stolen credentials, likely taken from Fazio Mechanical Services, a provider of refrigeration and HVAC systems for retailers and other businesses. Fazio is thought to have fallen prey to a social engineering-based email attack. A lack of proper network sequestration allowed the attackers to progress from there, researchers said.
New information, reported by BloombergBusinessweek, shows that there were actually fail-safe mechanisms in place during these events – and, they actually worked. Earlier in 2013, Target had put in a $1.6 million malware detection tool from FireEye, hooked in with its team of security specialists in Bangalore, India. That team was tasked with monitoring for cybersecurity incidents around the clock, and on November 30th it noticed something fishy. The data thieves were busy loading exfiltration malware into the Target system to siphon off the credit and debit card information that they would gather – and the FireEye system found their footprint. before the attack started.
Following protocol, a notification was sent to Target’s security operations center in Minneapolis warning of a possible breach. And from there, the alert was simply ignored, according to the more than 18 insiders that Businessweek spoke to. Those included data security specialists from within the company as well as law enforcement officials and security specialists familiar with the situation.
No reason has yet emerged as to why the company may have stood idly by while massive amounts of sensitive consumer information leached out of its systems. The company itself is sticking to its official statement, which points out that Target was certified as meeting the standard for the payment card industry (PCI) in September 2013.
“Nonetheless, we suffered a data breach,” it said.
Researchers are noting that PCI compliance has always been seen as a shield for retailers when it comes to security – but the Target breach has blown the doors off of that notion. “One thing PCI does is provide retailers with a false sense of security,” said Allan Carey, vice president at PhishMe, in a blog. “Target and Neiman Marcus were both certified as PCI-compliant. As an industry, it’s time for retailers to recognize that PCI compliance may be a requirement, but it won’t shield your business from being breached and suffering the now tangible negative consequences.”
And indeed, consumers aren’t showing any sympathy for Target suffering the breach despite being PCI-compliant. Target has spent $61 million through Feb. 1 in cleanup, likely the tip of the iceberg, and according to its fourth-quarter earnings report its profit for the holiday shopping period fell 46% year-over-year. Only 33% of US households shopped at Target in January of 2014, a 22% decline from 2013. That also represents Target’s lowest level of shopper penetration in the last three years.
“While retailers can’t avoid PCI, they can decide to make compliance with it their security floor and not the ceiling,” Carey said. “Retailers may be in the spotlight right now, but this applies to organizations in all industries. Organizations should…achieve compliance in as simple a way as possible, and focus resources on identifying and addressing the most relevant threats.”