Senate Report: Target’s Negligence Allowed Massive Theft of Shopper Data
On December 19, 2013, news broke that 110 million Target customers had their personal data stolen from the Target network. The U.S. Senate Committee on Commerce, Science, and Transportation has released a report detailing exactly how this breach occurred, and has made recommendations to prevent such massive theft in the future.
The Senate Committee Report, “‘Kill Chain’: Analysis of the 2013 Target Data Breach”, reports that Target “gave network access to a third-party vendor, a small Pennsylvania HVAC company, which did not appear to follow broadly accepted information security practices. The vendor’s weak security allowed the attackers to gain a foothold in Target’s network.”
“‘Kill Chain'” notes a variety of missed opportunities to shut down the breach, starting with their initial weak security points and several warnings from anti-intrusion software that Target did not heed.
The bulk of credit card data was sold on the internet’s so-called Deep Web, a series of hard-to-navigate sites and underground networks that buy, sell, and trade illegal merchandise. These underground markets typically operate with the use of BitCoin and Credit Union payments, both mostly untraceable currencies. Debit and credit card data was sold to ‘card shops’, websites that list a plethora of card information in order to help purchasers create clones of stolen cards. Tech security analyst and blogger Brian Krebs broke the story and discussed in depth the data that was stolen and the way it was used.
“There are literally hundreds of these shady stores selling stolen credit and debit cards from virtually every bank and country,” Krebs says. Stores will use data stolen from the magnetic stripe on the backs of credit and debit cards. “Armed with that information, thieves can effectively clone the cards and use them in stores. If the dumps are from debit cards and the thieves also have access to the PINs for those cards, they can use the cloned cards at ATMs to pull cash out of the victim’s bank account.”
“‘Kill Chain'” also discusses how hackers targeted weak security points and exploited the fact that Target apparently ignored or completely missed warnings that its security systems had been breached.
A timeline of Target’s actions and the actions of the attackers show that Target received alerts when POS (Point of Sale) malware was installed, when attackers installed upgraded versions of the malware, and when the attackers began to steal data. On December 12, The Department of Justice notified Target that its information had been breached, and Target confirmed the breach and acted against it several days later on December 15.
Article formerly posted at https://www.hsdl.org/blog/newpost/view/s_5058