How did Target get hacked?
I’ve been asked by a few people to expand on the security breach at Target. The breach is well-understoodand is a key part of the IBM My Learning Security Intelligence Technologist course that I taught. The story is so well understood that even major network news could give a coherent version such as this NBC story. WiReD was covering it back when it was still fresh and with more detail in a later (better) story.
In September 2013, Target was certified as compliant with the Payment Card Industry Data Security Standards (PCI-DSS) which is the standard that all credit card companies require before you can process credit and debit card payments.
Around that time, hackers stole the credentials for a Target supplier. This supplier had access to change information on point-of-sale (POS) terminals that every consumer sees when they pay for purchases at Target. This exposure resulted from poor security training and a successful phishing expedition by the attackers.
On November 12, 2013, the attackers made a first attempt on the POS terminals. Before the end of the month, the attackers had installed a RAM-scraper on these terminals and were gathering information. These are well-known to security analysts and VISA issued warning to retailers as early as 2008.
There’s evidence that the backdoor through the POS terminals allowed access to Target’s Customer Relationship Management system which would have had a lot more customer history available – this isn’t certain but is generally accepted as likely.
Target’s security software actually set off alarms related to the exploits at least twice – around November 30 and around December 2. In both cases, because the tools they used had a tendency toward false alarms, the notifications were ignored.
On November 30, the attack software was augmented with exfiltration malware and, by December 2, the attackers started moving most of the data out (this was the second security software alert that was ignored).
Target was blissfully unaware until Dec. 12 when the U.S. Department of Justice reached out to tell them that their customer data was available on the Dark Net.
It still took 3 days (December 15) before the malware was removed.
The exfiltration from Target went to servers in Miami and Brazil. It ended up in Russia as 11GB of data and from there was posted to various black-market forums.
With hindsight, Target could have had better security practices and training. They could have enforced better firewalls between POS and internal systems, and they could have checked suppliers for proper security protocols. Finally, they could have responded quicker and not ignored early alerts. Target took security seriously, they passed what they reasonably thought was the highest level of audit, and they invested (adding an additional $100M to that budget in the aftermath would help).
How secure are your systems?