In 2013, data breaches were common, but didn’t particularly weigh heavily in the public consciousness. While major data breaches had certainly occurred by that point, these breaches tended to affect less personal businesses. After all, Americans weren’t going into Yahoo or Equifax every week for grocery shopping. Data breaches tended to affect corporations that most people only interacted with online. Therefore, when a data breach occurred, it didn’t feel as personal. Combined with the equally impersonal picture of shadowy hackers stealing data from continents away, data breaches weren’t seen as a massive issue to the general population, but as an online nuisance.
Unfortunately, that mindset soon changed. In late 2013, in the middle of the holiday shopping season, Target fell victim to a data breach, with over 70 million people’s financial information becoming compromised [1]. While 70 million may sound paltry compared to Yahoo’s 3 billion leaked accounts, the damage to those 70 million victims was much more severe. Ultimately, this hack put data breaches on the mind of everyday citizens. After all, these hackers didn’t target a shadowy Internet business that only a few hundred people have physically been to. This hack targeted a popular chain of stores where millions of people shop every week.
In honor of Cybersecurity Awareness Month, AXEL is writing about some of the worst leaks, data breaches, and ransomware attacks in history. Follow along all October long to learn about what went wrong, what could’ve been done, and how companies responded to devastating data breaches.
The Breach
In September 2013, the cybercriminals responsible for the attack began their strike on the popular retail chain. However, the hackers’ plans did not involve attacking Target directly, at least not yet. The cybercriminals targeted Fazio Mechanical Services, a contractor that provided Target with heating and air conditioning [2]. From Fazio and its approved credentials, the hackers then accessed Target’s network and quickly found access to Target’s point-of-sale (POS) systems. From there, the attackers installed malware that recorded credit card data. Finally, the hackers encrypted the credit card data and exfiltrated it right under Target’s nose.
Target became aware of a potential breach on November 30, when a Target security operations center in India recorded potentially malicious activity [1]. That activity was shared with the Target corporate office in Minneapolis, but no action was taken. Again, on December 2, malicious activity was found and reported, but no action was taken by the corporate office. Finally, on December 12, the US Department of Justice contacted Target about a potential data breach, and an investigation began [1]. One week later, Target publicly revealed the data breach.
All in all, over 70 million customer records and 40 million payment card credentials were stolen in the hack [3]. This information was put up for sale on the dark web, where any variety of cybercriminals could pay for the stolen financial data. The data breach not only included debit and credit card numbers, but PIN numbers as well, putting affected customers at a large financial risk. Overall, while 70 million victims may pale in comparison to other data breaches, the breach’s effect on those victims was enormous.
The Fallout
In the years following the data breach, Target paid over USD $200 million in costs related to the hack [4]. Target could have paid much more, but the company had a cybersecurity insurance policy that covered about USD $90 million of the total cost [1]. Additionally, Target agreed to a settlement of USD $18.5 million to 47 state governments for further compensation to victims [4]. As part of the settlement, Target agreed to tighten its security measures, along with promising to separate its cardholder data from the rest of its computer network. Additionally, Target’s CEO, Gregg Steinhafel, resigned in May 2014, in the aftermath of the attack [4]. Although the breach certainly did not put Target out of business, it had a profound effect on the company’s financial security, along with consumer trust in the company.
To this day, just one person has been charged in connection to the attack. In 2018, a Latvian computer programmer named Ruslan Bondars was sentenced to 14 years in prison for creating a program that helped cybercriminals, including the perpetrators behind the Target attack, improve malware [5]. However, Bondars was not immediately connected to the attack. Cybersecurity experts hypothesize that Andrey Hodirevsky, a Ukrainian programmer who specializes in selling stolen financial information, was the mastermind behind the attack [5]. However, Hodirevsky has never been charged with the crime.
Finally, the Target data breach affected not only the victims, but spearheaded a massive change in credit card usage as well. Following the breach, Target was one of the first companies to offer credit cards with embedded microchips, which provides better security than the traditional magnetic swipe [3]. So while the Target attack affected millions of victims, it also helped encourage the necessary transition from magnetic swipes to chip cards.
Overall, the Target data breach highlights the importance of communications, especially when it comes to cybersecurity incidents. Had Target taken action earlier, the effects of the data breach could have been mitigated or even eliminated. Unfortunately, in the time it took for Target to realize something was wrong, the damage had already been done. Thankfully, Target quickly identified and eliminated the malware, and also ushered in the era of microchipped cards.
Keep Your Data Secure with AXEL Go
AXEL Go is a secure file-sharing and storage software that puts you back in control of your data. From military-grade encryption to blockchain technology, AXEL offers the most stringent security for your most important files. If you’re ready to take back control of your data, try two weeks of AXEL Go for free here. To read more about AXEL Go, click here.
[1] Plachkinova, Miloslava, and Chris Maurer. “Teaching Case Security Breach at Target.” Journal of Information Systems Education 29, no. 1 (March 21, 2018). https://jise.org/Volume29/n1/JISEv29n1p11.pdf.
[2] Shu, Xiaokui, Ke Tian, Andrew Ciambrone, and Danfeng Yao. “Breaking the Target: An Analysis of Target Data Breach and Lessons Learned.” January 18, 2017. https://arxiv.org/pdf/1701.04940.pdf.
[3] Myers, Lysa. “Target Targeted: Five Years on from a Breach That Shook the Cybersecurity Industry.” WeLiveSecurity. December 13, 2018. https://www.welivesecurity.com/2018/12/18/target-targeted-five-years-breach-shook-cybersecurity/.
[4] Abrams, Rachel. “Target to Pay $18.5 Million to 47 States in Security Breach Settlement.” The New York Times. May 23, 2017. https://www.nytimes.com/2017/05/23/business/target-security-breach-settlement.html.
[5] Weiner, Rachel. “Hacker Linked to Target Data Breach Gets 14 Years in Prison.” The Washington Post. September 21, 2018. https://www.washingtonpost.com/local/public-safety/hacker-linked-to-target-data-breach-gets-14-years-in-prison/2018/09/21/839fd6b0-bd17-11e8-b7d2-0773aa1e33da_story.html.