Target Data Breach, How Target Almost Lost Everything
Table of Contents
- By David Lukic
- Sep 22, 2020
One of the first notorious data breaches to hit the news hard was the Target data breach in 2013. Prior to this event, cybersecurity wasn’t taken as seriously as it is today. The professional changes that many businesses made in response likely saved billions of data points from falling into criminal’s hands.
There is a Target data breach case study done by security company ESET which describes how this single event transformed how cybersecurity experts evaluate retail security systems.
Is Your Information on the Dark Web?
Hackers stole 40 million credit card numbers and personal details for 70 million customers. In light of recent data breaches, this may seem small, but at the time, it was quite an offense to customers’ trust. The attack hit during the 2013 holiday shopping season, which somehow made it worse.
Along with credit card numbers, the cybercriminals also got away with PINs, customer names, email addresses, phone numbers, expiration dates, and security codes. This incident, combined with the Home Depot hack, effectively pushed credit card companies to move to a chip-based system with PINs and away from the magnetic strip style cards. The change is one of many that came out of the target hack.
How Did the Target Data Breach Happen?
Target’s 2013 breach kicked off when a third-party contractor for Target, Fazio Mechanical Services, fell victim to a phishing attack. This company remotely accessed Target’s network for billing purposes, contract fulfillment, and general management.
The emails sent to Fazio Mechanical Services contained malware that stole the employee’s credentials and granted the criminals access. Later investigations revealed that some standard cybersecurity procedures like malware detection software weren’t implemented in their day-to-day.
Malware started stealing customer information on November 27th, which wasn’t detected until three days passed. Target’s security team received a notice for a generic threat named “malware.binary.” Security experts believed the threat was relatively harmless and did not act on the warning.
It wasn’t until December 12th that the US Department of Justice uncovered the scope of danger and informed Target. An investigation began in collaboration with governmental agencies, and the malware was removed from Target’s network by December 15th.
What Did Target Do in Response?
Rather than a Target spokesperson or press release, news of the historic breach came from the independent cybersecurity blogger Brian Krebs. Target released its statement the next day while reporting on its investigation in tandem with the FBI and Secret Service.
Ignoring Target’s initial oversight, the company’s response was relatively quick after learning the seriousness of the threat. The company notified customers within four days and removed the malware during that time.
However, customer trust was at an all-time low, and Target needed to reassess its entire digital infrastructure. This included how they managed third-party contractors and cybersecurity systems.
- Increased monitoring and recording of alerts
- Enhanced segmentation of networks
- Restricting vendor access
- Resetting 445,000 employee and contractor passwords
- Introducing 2-factor authentication
The most important of these changes is Target’s choice to segment its networks. This architectural approach divides large networks into separate subnets. This helps administrators better manage the data flow and isolate problems before they can harm the entire system.
What Information Was Stolen?
Hackers accessed Target’s database and downloaded the information to a European server. Details included credit and debit information from roughly 40 million accounts. However, the total number of customers affected could be as high as 110 million.
The stolen information included:
- Card Types
- Expiration Dates
- Magnetic Stripe Data
- Issuing Countries and Banks
- Contact Information
Black-market card vendors purchased this information. This passed everything to cybercrime operations attempting to steal identities, fabricate cards, and initiate phishing scams.
Cost of the Target Data Breach
According to IBM, the average data breach cost in 2022 was $4.35 million. However, just looking at America, the amount is more than twice as much at $9.44 million.
A few factors determine the price of a data breach in the US. Considerations like the company’s response time, legal fees, reputational damage, and level of fault are all considered. While Target had to pay an $18 million settlement, their estimated losses are over $200 million.
These losses came primarily due to bad timing. The breach began in late November and wasn’t resolved until mid-December. These months are the heart of the holiday shopping season, and Target couldn’t direct its full attention toward it.
Additionally, Target lost customers’ trust, and many people were unwilling to shop at their stores for a time. During this period, reported earnings dropped by 46 percent. Of course, there was also the cost of restructuring their cybersecurity networks, but those paled in comparison.
Takeaways for Cybersecurity
The Target data breach is the most significant retail data breach in history. Before it happened, many businesses relied on outdated and easily circumvented security systems. Below are a few of the biggest lessons the industry learned in 2013.
Prioritize the Switch to EMV
At the time of the attack, less than one percent of American credit cards used an EMV (Europay, Mastercard, and Visa) chip. The magnetic stripe used on most cards was outdated and ineffective for protecting against upcoming security threats.
The Target breach exposed millions of American PINs and magnetic stripes. This information allowed criminals to duplicate and use fraudulent cards.
Afterward, card issuers announced their plans to shift broadly into an EMV, or Chip-and-Pin, system. Merchants were given until October of that year to make the necessary changes, and gas stations received an additional year to transition.
The EMV Chip was revolutionary for financial security. It used a chip with a stored cryptogram to check for any alterations in the transaction. The chip also recorded individual transactions to ensure that the same transaction wasn’t made multiple times-which is a glaring sign of fraud.
Consider How Third Parties Fit into Security
Another effect of Target’s breach was it emphasized the dangers of allowing third parties to access a network. In the beginning, it was Fazio Mechanical Services that fell for a phishing scam, but it was Target who paid the price.
Despite the risk, avoiding working with other businesses on a supply chain is impossible. However, companies learned to check the cybersecurity measures of their partners thoroughly. Cybersecurity terms became a more entrenched part of contracts. Risk management clauses appeared in vendor dealings, and third parties were removed from non-essential data.
In Target’s case, this process became much easier after properly segmenting their networks.
Plan for When a Cyber Attack Gets Through
Cybercriminals are resilient and determined. Nearly half of American businesses have been targeted by phishing and other cyberattacks in the past few years. If it can happen to Target, which is in the top 10 largest retailers in the US, then it can happen to anyone.
So, it’s essential to have a plan ready.
Target’s initial response wasn’t the best. They ignored early warnings and then waited a few days to inform the public. Doing so made Target appear untrustworthy and irritated many customers amid the holiday shopping season. The entire incident could have been contained by reacting or double-checking the threat immediately.
If Target had a premeditated response plan for the company to follow, they wouldn’t have had to react off the cuff. Response plans typically include regulations over:
- Designating leaders during an emergency
- Announcing the breach to the public
- Determining responsibility to governmental agencies
- Investigating the attack
How to Check if Your Data Was Breached During the Target Hack?
Target sent out letters to everyone who was affected by the data breach. If you shopped at any Target stores between Nov. 27 and Dec. 18, 2013, you should also review your credit card and bank statements from that time period to look for suspicious charges. The time to file a claim has passed, but you might be able to take legal action if you were not notified, and you were affected by the target hack.
What to Do if Your Data Was Breached During the Target Hack?
Unfortunately, it is too late to file a claim with Target. The deadline of July 31, 2015 has passed, but you can still take some action. If you never received a notice from Target, you may still have some legal options. If you haven’t already taken the steps below, do so now:
- Cancel the credit card you used at Target during the data breach and request a new one.
- Change all your online passwords for banking and credit card accounts (use strong passwords with combinations of letters, symbols, and numbers).
- Work with credit card companies to remove any fraudulent charges.
- Get a copy of your credit report and sign up for credit monitoring (IDStrong.com offers this service).
- Keep an eye out for phishing and other scam emails.
Are There Any Target Lawsuits or Settlements?
There was a massive class-action lawsuit with a huge Target data breach settlement payout of up to $10,000 per customer. Target set up a website to inform people of the settlement and how to file a claim. The deadline to file (July 31, 2015) has passed, and no further claims are being accepted. In August of 2019, Target legal counsel began sending out payments to affected customers. Those that received payouts had to provide proof that the incident led to fraudulent charges, costs incurred restoring their credit, identity theft, or other serious consequences.
Can My Stolen Target Information be Used for Identity Theft?
The information stolen during the Target data breach is exactly what is needed for identity theft. The personal details combined with credit card information and logins are more than enough to provide a hacker with what they need to infiltrate your other accounts and possibly even your computer. You cannot be too careful when protecting yourself against identity theft.
What to Do to Protect Yourself When Buying from Retail Stores?
Hacking incidents may scare off some consumers, but most of us will continue to shop and use credit cards. However, there are steps you can take to keep yourself safe.
- Use only one credit card for retail purchases and monitor your statements carefully each month.
- Review bank statements and your credit report regularly to scan for fraudulent activity.
- Invest in credit monitoring and consider a credit freeze where new accounts cannot be opened without your permission.
- Keep all your devices updated with antivirus software and run scans often.
- Use common sense and watch for suspicious scam emails that push you to click a link or download an attachment.