In December of 2013, Target Corporation, one of the largest discount retail stores in the United States, was hacked. Information from over 70 million customers across 2000 Target stores was compromised due to a criminal hacking of Target’s systems. The attack began just after the Thanksgiving holiday period on November 27th and blocked promptly on December 15th. Target did not find the breach within their own system, on the 13th of December, they were contacted and notified by the Department of Justice. Primarily, it was evident that credit and debit card information was released. As the corporation’s team investigated further, it became known that personal information regarding a large portion of affected customers was also stolen, including home addresses, phone numbers, and names. The access point that was used by these attackers was closed shortly after the breach was discovered in an attempt to sever any connections these people had to the Target system.
Various measures should have been taken by Target in order to mitigate the risk that a breach this daunting could have occurred. It was concluded that the hackers gained access to the necessary credentials through a third party vendor by the name of Fazio Mechanical, which is “a supermarket refrigeration systems mechanical contractor” as it reads on their website (Fazio Mechanical). In order to further secure their systems, Target needed to have a better tactic for risk management. As suggested by the SANS institute, implementing risk management analyses on a regular basis would have greatly improved the security of the target systems. This strategy would have allowed the company to catch and eliminate vulnerabilities before they turned into threats. One conclusion made by CTO Jody Brazil of a security vendor by the name of FireMon, suggested that the breach was more “mundane and…preventable” (Computerworld) than one might have initially thought. Her conclusion was that although the hacker gained credentials from this third-party vendor, those working at Fazio Mechanical should never have been given access to Target’s payment information. In order to take preventative measures against this type of fraud again, Target would need to segment its network to ensure that third parties do not have access to this type of information, as it can prove to be fatal to the company’s systems, making them susceptible to attacks such as this one.
Aside from regularly monitoring their systems as a form of risk management, Target would have benefitted from implementing controls from the SANS 20 Critical Security Controls list. As was mentioned earlier, carrying out a regular risk management assessment of the company’s security systems would have proved to be extremely beneficial. SANS Critical Control #4, Continuous Vulnerability Assessment and Remediation provides just that level of coverage. SANS Control #15, Controlled Access Based on the Need to Know ties into the idea that third party vendors, while given rights to certain information within the company’s network, should be prevented from gaining access to all aspects of the company’s records. Along with Control #15, using CSC #16 would give Target the ability to be proactive through the monitoring of accounts, ensuring that no suspicious activities are occurring right under their noses. The final two SANS Critical Controls that would enable Target to better protect against similar attacks would be #19, Secure Network Engineering, and #18, Incident Response and Management. Taking preventative security measures is all about being proactive. No matter how secure a company believes their systems to be, there is always a threat of an attack, and IT teams must know exactly how to respond to these attacks in order to pinpoint them and mitigate them as quickly as possible.
It is evident that this breach connects to two specific frameworks; SANS and PCI-DSS. As was touched upon before, in order to mitigate security threats, Target would be advised to use the aforementioned critical controls laid out by the SANS Institute. The SANS Institutes focus is on information and cybersecurity, and through extensive research and a brilliant team, having the know-how to better protect businesses from instances such as those faced by Target. The second framework that this breach pertains to is PCI-DSS or the Payment Card Industry Data Security Standard. This framework hones in on information security standards for various organizations that use credit cards, namely those that fall under the titans of the credit card industry who created this organization, in point of sale transactions. The aim of PCI-DSS is not only to help organizations protect their transaction services but also to protect those credit card companies that fall under its umbrella. PCI-DSS has six groups containing twelve requirements that organizations under their rule must follow in order to reach total compliance with the institution's standards.
There were no extremely significant punitive implications that were derived from this breach that were not financial. Other than class action lawsuits filed by many customers, it was the major banks who were affected by the security breach that came after Target in a wish for restitution. Banks such as Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union, and First Federal Savings of Lorain, banded together to file a case against Target in which they reached a $39 million settlement.
As was expected, and is made evident by the lawsuit described above, there were major fiscal repercussions as a result of the breach. On top of these consequences, however, there was also a great loss of consumer trust in the Target name, as clients scrambled to learn as much information as possible to mitigate the vulnerabilities they now faced by having parts of their identities, as well as financial information, compromised. Customer loyalty to the Target name dropped significantly as frequent consumers became wearier and evermore cautious, thus straying away from making purchases at the retailer’s locations. Target, as was previously mentioned, also faced many class-actions lawsuits carried out by some of its customers in an attempt for redemption. Fortunately for Target, strength came in their name and their ability to offer quality products at cheaper prices than at your average mom and pop shop. Many consumers also came to the conclusion that this type of data breach is not specific to Target, but rather to any technologically advanced corporation that is keeping track of the personal information they input into the respective systems. Overall, however, Target took a massive hit in customer trust due to this attack, and is still working relentlessly to overcome it.