Lessons Learned From The Target Data Breach: Part 1

In the holiday shopping rush of December 2013 Target (TGT), the 1,778 store middle market retailer, had one of the biggest data breaches in American business history.  The breach apparently affected more than 70-100 million customers over 40 million cards (varying estimates exist) across all U.S. stores but excluded Target.com and stores in Canada.
The general consensus is that a HVAC contractor for Target, Fazio Mechanical Services, who had access to Target’s networks got their own networks hacked via an e-mail phishing attack, normally an elementary attack method; yet that attack installed malware that then got onto Target’s network and installed more malware that copied personal data from Target’s payment processing terminals when it was in the “working memory area” or “cache” of the software/system – that is before it gets encrypted to be sent to the bank to be authorized.  This is part of the reason why it was not detected so fast and yes these hackers were smart.

Yet Target also did a bad job separating their networks and servers while they were trying to save money by having less networks and broader access for those who needed them.  Yet I don’t see why an HVAC contractor would need to be so close to the networks that work the registers.  This is simply poor design.  I am sure the HVAC company could have done their job without access to the Target network.  Let’s not hope they just wanted to upload HVAC reports and browse the network.

According to a recent Business Week article, “Target had a team of security specialists in Bangalore to monitor its computers around the clock.  If Bangalore noticed anything suspicious, Target’s security operations center in Minneapolis would be notified.  On Saturday, Nov. 30, the hackers had set their traps and had just one thing to do before starting the attack: plan the data’s escape route.  As they uploaded exfiltration malware to move the stolen credit card numbers—first to staging points spread around the U.S. to cover their tracks, then into their computers in Russia—FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis.” (http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data)
Yet Target did not take this alert seriously but why?  Fear of change, ego, poor leadership, and too much bureaucracy got in the way of the costly software’s effectiveness.  At the time of the breach FireEye was a new software tool for Target’s technology group and what I know about new technology is that people delay embracing and learning new systems of out of fear that those systems will be buggy or not as good as the old ones.  I understand this very well having worked part time in the P.C. dept. at Best Buy for more than 3.7 years representing Intel and related software makers Microsoft, Symantec, Trend Micro, and Adobe.  When Windows 8 came out all kinds of people were doubting it not because it was bad but because it was more work to get to know, and if they saw something really different about it, they were inclined to think it was a bug when in fact it was a useful design feature they didn’t yet understand.  The same bias can be applied to Apple computers.  People falsely think that they are immune from viruses because Apple designs them that way.  What a joke.  Apple computers are only as secure as their understanding of the latest virus.  Yes it is true the Apple operating system is not targeted as much for viruses but it is also not used as much and it is hardly used by large companies and governments.

Moving on, the CIO really needs to get behind any major software change like this, and if Target’s former CIO Beth Jacob was really behind FireEye she probably would have done something about the alerts they were giving her.  You would think as CIO she would want to immediately act and reduce any risk.  What was she doing at the time, giving some speech about how she was such a great leader in the industry while some high buck corporate partner pays for her three-course lunch?  Clearly, her eye was not on the ball or even on Target (no pun intended), and she had a big enough ego to think she was smart enough and had put the right people on her team to take care of this.  Yet what an epic fail.  It is also likely that there were people some layers below Jacob that tried to inform others to the alert but I am sure their voice of concern and reason got squashed by Jacob’s massive ego, after all you can’t doubt a CIO – right?  I highly doubt everyone in Target’s IT security team was going to ignore these alerts but it is too many layers of bureaucracy that got in the way of Target’s safety.  Target is better off with a more open style of bureaucracy where concerns can be heard at all levels and tools and processes are shared for innovative solutioning – Google’s culture is a good example of this.

Target has also grossly underestimated the costs associated with the data breach to keep their stock price up but of course they would never say it like that, however I am not alone in thinking Target’s $147 million figure is too low.  According to one analyst, “costs would rise even more over time. “I don’t see how they’re getting out of this for under a billion, over time,” he said, adding, “$150 million in a quarter seems almost like a bargain.” (http://www.nytimes.com/2014/08/06/business/target-puts-data-breach-costs-at-148-million.html?_r=0)

Those who have the stolen data are likely outside of the U.S. and when and if they use the data to commit fraud the ability of a U.S. corporation or court to go after them is diminished, timely, and costly.  Moreover, since the U.S is the midst of negative geo-politics with parts of Europe, particularly Russia where some sources have traced the hack, those who have the data are likely to be bold in how they use it and that’s where the cost to Target will add up.  The other areas where the costs will grow is in Target’s own internal policy and procedure changes as well as the growth of their IT security staff and tools, but most importantly their investment in training must grow.  At present Target has over more than 90 lawsuits against them regarding the breach and that number is likely to grow so the costs here are going to be huge overall.

Lastly, I am not all negative on the Twin Cities’ favorite corporate hometown hero as I shop at Target often, have the REDCard, have been to their diversity events, and I have also seen a lot of concerts and sporting events at both Target Field and the Target Center.  However, the mere fact that Target has the money and lobbying power to get their name in the community does not mean they are a true leader in the community.  As the data security community increases consumer awareness retailers like Target will continue to be challenged to innovate and that’s better for all people.

By Jeremy Swenson