The Target breach, two years later

With the annual orgy of holiday shopping officially kicking off this week, has anything really changed since the breach that rocked retail?
Written by Natalie Gagliordi, Contributor

Although it was only two years ago, the holiday shopping frenzy of 2013 marked the end of a simpler time.

Consumers plowed through retail stores in search of a worthy bargain and swiped their credit cards with reckless abandon. Retailers relished each sale without fretting over the integrity of their payment systems.

But on December 18, 2013, the carefree days of consumerism came to a screeching halt as the news first broke that discount retail giant Target had been hit with an unprecedented data breach.

As the story unfolded, it became clear that the scale and sophistication of the breach had compromised 11 gigabytes of data containing the names, mailing addresses, phone numbers, email addresses and payment card information for up to 70 million people.

The following 12 months were tumultuous for the retailer and many of its peers. The Target breach was just the beginning of a series of massive retail data assaults that would expose critical weaknesses in enterprise data security and payment systems.

Two years later, Target has largely recovered from the breach in terms of both consumer trust and financial impact.

But no matter how grand its remediation efforts were, Target will be forever associated with the data breach and its lasting repercussions.

"Target remains the most significant breach in history because it was the fist time the CEO of a major corporation got fired because of a data breach," said John Kindervag, vice president and principal analyst on risk for research firm Forrester. "You can't underestimate that in terms of getting people's attention. People started taking credit card security seriously -- before that, it was just a pain-in-the-neck compliance issue."

But Kindervag noted it takes a lot more than tough-talking security rhetoric to determine whether organizations are actually more secure today.

So, with the annual orgy of holiday shopping officially kicking off this week, has anything really changed?

To this day, Target has not disclosed precisely how the breach occurred or what exactly it has done to prevent another attack on its system.

What we do know is that attackers gained access to Target's network on November 27, 2013. As first reported by security blogger Brian Krebs, the breach started after a phishing email duped an employee of Target third-party vendor Fazio Mechanical, allowing Citadel, a password-stealing bot variant, to be installed on Fazio computers. Once Citadel successfully snagged Fazio's login credentials, the attackers breached Target's Ariba vendor portal, gained entry into the retailer's internal network and took control of Target servers.

From there, attackers infiltrated Target's point-of-sale (POS) systems and spent more than two weeks scraping and dumping credit card data to sell on the black market.

Target says it has since taken a number of actions to repair and improve its security posture, both immediately following the breach and throughout 2014.

According to Target communications representative Molly Snyder, the retailer brought in new senior leadership with cybersecurity know-how, including chief information officer Bob DeRodes and chief information security officer Brad Maiorino.

The retailer also rolled out EMV-compliant POS terminals in all of its stores nationwide, and it is in the process of reissuing its store-branded REDcards as chip-and-PIN cards by next spring.

EMV -- short for Europay, MasterCard and Visa -- is the secure payment standard now in place in the United States. It was designed to reduce fraud in face-to-face, card-present environments via the use of chip-embedded payment cards and a correlating POS device. The chip creates a unique impression or token for each transaction so that the only data flowing through a merchant's POS terminal is a random numerical sequence.

The combined chip and tokenization process is considered a major deterrent for data thieves hoping to create fraudulent accounts or make counterfeit cards.

The EMV roadmap was first announced in 2011 -- before the Target data breach -- so Target's efforts here are essentially in line with its original game plan. However, Target did ramp up its migration efforts after the breach and was one of the first national retail chains to swap out its POS terminals for updated EMV systems.

The breach was also a sort of rallying point across the retail and banking industries, according to one of the world's largest credit card brands, Visa.

"The Target breach definitely brought the issue into sharp focus and sparked much more engagement and commitment from both financial institutions and merchants," said Visa representative Sandra Chu.

On top of EMV, Snyder said Target has joined two cybersecurity threat-sharing initiatives: The Financial Services Information Sharing Analysis Center (ISAC) and the Retail Cyber Intelligence Sharing Center.

The Retail-CISC allows retailers to share cyber threat information with each other as well as anonymized information with the U.S. government via a cyber-analyst and a technician entrenched at the National Cyber Forensics and Training Alliance (NCFTA). The technicians and analysts are on the lookout for real-time cyber threats such as new strains of malware, activity on underground forums and potential software vulnerabilities.

Data-sharing initiatives may seem like a common sense move. But according to Trey Ford, a global security strategist at security vendor Rapid7, the importance of these types of programs can not be understated.

"Companies are not effectively sharing the right information about attacks to enable defenders throughout the industry to improve," Ford said. "I know that if companies were to share meaningful information from post-mortem incident analysis, we would be in a far better place in detecting and deterring attacks."

The ultimate test of security for Target could boil down to something as simple as the strength of its network. At the time of the data breach, Target was operating with a flat network, explained security blogger Brian Krebs. A flat network is problematic because traffic is not segmented via switches and routers and is therefore less secure.

A Target corporate webpage outlining a number of technical changes made since the attack suggests Target has corrected the network error with improved segmentation and firewall rules and policies. It states:

We've developed of point-of-sale management tools, reviewed and streamlined network firewall rules and developed a comprehensive firewall governance process.

    Target lists additional security improvements, including the monitoring and logging of system activity; the installation of application whitelisting on POS systems and POS management tools; limited or disabled network access for vendors; expanded use of two-factor authentication and password vaults; and disabled, reset, or reduced privileges on over 445,000 Target personnel and contractor accounts.

    So far, it's arguable to say the changes have worked because Target has yet to fall prey to a second attack.

    As for other retailers out there lucky enough to still stand untarnished, that's an entirely different story.

    Cyber criminals are advancing their attack strategies at a rapid pace and turning to even more complex encryption to outsmart even the most sophisticated anti-malware.

    Just this week, cyberthreat intelligence company iSight Partners released details of what it describes as an intricate POS malware scheme unlike anything else before it. Dubbed ModPOS, the malware creates "a complex, highly functional and modular code base that places a very heavy emphasis on obfuscation and persistence," iSight explains on its website. "Thus, ModPOS can go undetected by numerous types of modern security defenses."

    The ModPOS discovery is just the latest reminder that the battle for payment and sensitive consumer data is raging on. It's up to the organizations to adopt the strongest safeguards possible to prevent attacks as disastrous as the Target breach.

    Even then, total protection is not guaranteed.

    "You can throw all the money you want at security but it's useless if you're not investing in the right assets," Krebs said. "Way too many organizations don't take security seriously until they have a breach, and they don't get really serious until it costs them a lot."

    Editorial standards