Home > Security > What happened to Target – Part 1
What happened to Target – Part 1
A massive data breach could have been prevented.

What happened to Target – Part 1

Pete Chronis
Chief Security Officer

Cybersecurity incidents in 2014

If your organization wasn’t hit by a cybersecurity incident in 2014, you’re among a tiny minority.

When it comes to data breaches, it has been nothing short of a transformative year. Publications like Infosecurity Magazine are calling 2014 “the year of the breach,” and there are numbers to back that up. According to a recent data breach report from the Identity Theft Resource Center, there have been 696 breaches in 2014, as of Nov. 25. Looking through the specific incidents, it becomes clear that no enterprise sector is immune to cybercrime. The criminal intrusions span industries, with everything from hospitals and colleges to banks and small stores getting attacked. As Trend​ Micro’s Christopher Budd pointed out in August, “Data breaches in particular are moving from being exceptional events to nearly commonplace.”

Of all the widely reported data breaches in 2014, there was one that really changed the game. Though it technically occurred in late 2013, the Target data breach effectively marked the emergence of the so-called “Mega Data Breaches” that have cropped up with alarming regularity this past year. Before Home Depot, eBay, PayPal and JPMorgan, there was Target. While the major retailer’s breach was preventable, it also presents a valuable learning experience for strengthening business security across all enterprises. No one is immune to malicious intrusions, and preparation is key.

The genesis of a preventable intrusion

All told, there were 110 million customer records breached in the Target intrusion, including 40 million credit/debit cards and 70 million names, addresses, emails and phone numbers. Collectively, around one-third of the country’s population was directly impacted by the breach. Compromised cards were taken and sold on the black market. Hackers were estimated to have earned around $53.7 million from the intrusion, according to Brian Krebs, the security blogger responsible for breaking the breach news. Target spent far more than that recovering from it. In many ways, the store is still recovering. So what happened?

The Target hackers didn't start by attacking the retail giant. Instead, they targeted a third-party HVAC provider that did business with the retailer and had access to its network.

The Target hackers didn’t start by attacking the retail giant. Instead, they targeted a third-party HVAC provider that did business with the retailer and had access to its network.

The majority of credible sources out there agree that the Target breach – which ultimately took the form of an attack on the store’s point-of-sale system – could have been minimized, if not outright prevented, with better defensive measures in place on the enterprise’s part. Most hackers out there are not looking for the most secure targets to attack. Instead, they are on the hunt for an easy way in. Instead of coming through the front door, they are going to aim for that window left slightly open. This was the case with the Target breach.

Once the criminals had access to Target’s network, they had a lot of flexibility to start pushing malware out to all the different POS devices in the store’s system. That’s because hackers were able to compromise a server with administrative privileges to disseminate software to POS devices. The criminals used a specific strain of malware that was designed to capture credit card numbers just after customers swiped their cards at the point of sale.Hackers attacked Target via a third-party enterprise hired by the retail giant to manage its HVAC systems.

The vendor had access to Target’s network to perform routine HVAC systems maintenance. Hackers used a relatively simple phishing campaign directed at the HVAC provider. Once someone at the HVAC company clicked on malware-connected emails, criminals were able to install malware on that employee’s computer that captured the username and password credentials when they logged into Target’s network.

Anatomy of a cybersecurity attack

Once they were inside Target’s network, the criminals unleashed malware aimed at extracting credit card data from the store’s POS systems.

The credit card numbers were only vulnerable for a split second – but that was all the time the hackers needed to intercept the data. But the criminals were not taking any chances, and so in addition to the credit card-capturing malware, they put in place malicious code that worked to deliver stolen data to various U.S.-based “staging point” servers. From there, the hijacked data would be in the hacker’s possession. Credit card numbers started leaving Target’s system on Dec. 2. It would be weeks before Target detected, contained and publicly acknowledged the breach.

Tune in to Part 2 of this piece next week to see how this situation could have been prevented – and how an Earthlink solution can get you there. 

About Peter Chronis

Pete is the EarthLink's information security and IT compliance leader. He has over 15-years of experience using technology to manage risk in the telecommunications, healthcare, retail, financial and IT services industries.