Breach Case 2
Target Cyber Attack
Target cyber security breach that took place on December 19, 2013, is one of the biggest cybercrime incidents around the world. The US-based retail company was a victim of a massive data breach in which approximately 40 million credit and debit card numbers of their customers got stolen. On January 10, 2014, Target made an announcement that in addition to the 40 million stolen cards, personal information such as names, phone numbers and postal and email addresses of approximately 70 million clients got compromised in the cyber attack. The impact was so widespread since it affected nearly one-third of the total population of America.
The cyber attack occurred when one of Target’s suppliers, heating, and air conditioning firm had access to Target’s computer systems. One of the workers of the company had been spammed with a phishing email that led to their login details to Target’s network getting stolen. The perpetrators of the cyber crime then installed software on Target’s computer network. Investigators believe that data got acquired through the software installed on machines that store customers used to swipe magnet strips on their cards when paying for merchandise at Target stores.
All the consumers who shopped and made payments with their payment cards between November 27 and December 15, 2013, become victims of the cyber attack. Online purchases at Target.com did not get affected by the attack hence suggesting the malware night have infected point-of-sale (POS) machines. The attack affected more than 70 million shoppers and is reported to have cost Target approximately 148 million dollars. The cyber attack also led to a 46 percent drop in profit as well as 14 percent drop in the stock market. It was a result of reduced sales and customer visits to the stores. The company also spent an additional 61 million dollars in anti-cyber attacks technology as a consequence of the cyber security breach. The cyber attack also affected the company’s employees and numerous banks. The company’s chief information security officer resigned on March 5, and the chairperson, president, and CEO Gregg Steinhafel also resigned two months later after 35 years in the company. Banks got required to refund all the money stolen from customers through their credit cards and paid for replacements that cost over 200 million dollars. There were also increased cases of identity theft in the US in the first half of 2014 as a result of cyber breaches such as Targets. Various lawsuits also got filed against Target.
The company management coordinated its efforts with various law enforcement agencies and banks so as to prevent extreme adverse impact. Various measures should have got implemented to prevent the breach of the company’s database. First, Target should not have allowed a third party (the heating and air conditioning company) to access its computer networks. This action made the company vulnerable to external attacks and compromise. If a third party gets authorized into the computer networks, proper measures should get integrated to ensure that systems are well monitored and protected. In this case, the third-party management software suffered critical security flaws. Second, Target should have used a defense in depth security approach that is integrating several layers of data security. Target which is the second largest stores company in the US should have integrated a database security system in its database that could have detected the installation of this software. The company should also have hired adequate trained and competent staff to monitor the company’s information systems. Encryption of card data would also have assisted the company in preventing the attack and also ensuring that data was not available in memory in the POS systems. A tamper resistant security module should have got used since it encrypts data on the hardware, hence even if malware were on the POS systems, it would only read encrypted data. All these measures are crucial to ensuring security.