Target Cyber Breach Report

-K A Adeab
-B Section
-PES1201801308

1. What’s your diagnosis of the breach at Target—was Target

particularly vulnerable or simply unlucky?
Target was unlucky in the sense that they were attacked during
Christmas time; a time during which preparation for upcoming sales was
being done by launching a new payment system. As a result they made
security a lower priority and didn’t have enough time to find flaws in the
system.

Apart from ignoring security warnings, Target was vulnerable from the
start. Their Point Of Sale (POS) systems were not in an isolated part of
the network, and because of this attackers were able to access the
personal and payment information of millions of customers.
“Security is only as strong as the weakest link”​ is an apt phrase for
Target’s situation as one of their vendors Fazio proved to be the
weakest link. The hackers were able to steal Fazio’s credentials through
phishing attacks and gained access to Target’s internal network.

The ignorance of security warnings only compounded the damages

faced by Target. The alerts sent by the FireEye team were deemed as
“false positive” by Target’s security team. In fact, Target’s security team
had lowered their company’s security by turning off the function which
automatically deletes malware as it's detected. Another weak link could
have been the unreliableness of Trustwave Holdings company which
provided Target with Payment Card Industry Data Security Standard
(PCI DSS) certification of compliance. The certificate was proved to be
pointless as it came to be evident that Target was not actually compliant
with the standards. To add salt to injury, the standards themselves were
not dynamic in nature. So hypothetically, even if Target was completely
compliant with the security standards of PCI at the time, they would still
be vulnerable to attacks.
2. What, if anything, might Target have done better to avoid being
breached? What technical or organizational constraints might have
prevented them from taking such actions?
Target could have done a better security background check of their
business partners like Fazio and Trustwave. Fazio’s access to Target’s
supplier portal didn’t require 2FA as it wasn’t part of the POS system.
Adding another layer authentication would have made it more secure.
Poor segmentation of their POS networks made matters worse. The
PCI standard certification provided by Trustwave was not reliable and
other companies that received the certification were also prone to
cyberattacks.

Target’s security team was careless and ignored several security alerts.
I believe this was their biggest mistake which could have been easily
avoided by simply being more concerned.
The preparation for the Christmas/Black Friday sales should have
started at least a year in advance so that the security team has enough
time to find flaws in the system. It was evident that two months didn’t
suffice for finding flaws and debugging them.

It is possible that Target must have thought of security as an obstacle

that is just coming in the way of development and couldn’t scale their
businesses while keeping them secure at the same time. The security
team should be fully integrated with the DevOps team of Target in order
to prevent issues like this.

3. What’s your assessment of Target’s post-breach response?What

did Target do poorly? What did they do well?
Target did not do particularly well in the post breach scenario. For 12
straight days they did nothing and ignored warnings. In fact they were
informed by the US Department of Justice (DOJ) that there was a
breach on 12th December, 2013. On 15th, they started removing
malware from the systems. They took too long to respond to the breach.
While Target was getting rid of the malware, their stores were open.
Target did not take emergency measures like shutting down stores to
protect the customers shopping on 15th. This could have saved some
customers from having their information stolen, unless they were
regular customers. Their customer service was terrible; shoppers had to
wait a long time to get a connection and after successfully getting
 connected, they were asked to visit a website whose URL was not easy
to remember. Thus making it harder to obtain information regarding the
breach.

In terms of what they did well, there’s not much to say other than the
fact that they provided discounts and credit fraud monitoring for US
customers for a year. They did admit that their call centre service was
not upto the mark. They also diligently paid upto 290 million dollars in
terms of law fees and other fines.

4. To what extent is Target’s board of directors accountable for the

breach and its consequences? As a member of the Target board,
what would you do in the wake of the breach? What changes
would you advocate?
The board members were described as “negligent”, “reckless” and
“irresponsible” by higher authorities. They didn’t take their jobs seriously
and mismanaged the company’s resources. Despite all this, the board
members cannot be held completely accountable for the breach. Their
job doesn’t involve managing security teams or any other development
team for that matter.

As a member of the board, I would take the concerns of the security

team seriously and propose the idea of immediately shutting down the
stores to reduce further damages instead of keeping the stores open.
Since there are about 1800 Target stores all across America, and
approximately thousands of people visit each store everyday, there
must be at least a few million people shopping at Target in total each
day. Shutting down the stores for at least a day will save private
information of at least a million people from a pool of 70 million people.

5. What lessons can you draw from this case for prevention and
response to cyber breaches?
In the case of prevention, we need to hire the right people who are
actually qualified for the job. The Chief Information Officer (CIO) had 40
years of experience in data security and other fields, yet it is evident
that she didn’t do her job properly. She has been shifting roles within
the company since 1984 and I doubt she updated her knowledge about
security throughout the years. We should be concerned about the
security of our business partners (or vendors in this case), as they could
affect security of our systems as well. Investing more into security is
 also important as it ensures protection against cyber threats that we
cannot foresee. We should not blindly trust the security standards set by
other companies as they can quickly become outdated. The standards
should be considered as a minimum requirement rather than
considering it as the highest standard.

Responding to breaches quickly is very important. We know for a fact

that Target got rid of the malware within a day of discovering it. Initially
Target released a statement saying that only 40 million people were
exposed in the breach but then reversed their statement once they
found out that the number was close to 70 million when they realised
that even PIN numbers were leaked. In conclusion, accurately
representing the severity of the breach is also very important when it
comes to saving the company’s reputation.

6. How would you characterize your role as a director in relation to

cybersecurity at your organization? What are some concrete
things that you can do as a director to oversee this domain?
● We need to approach cybersecurity as a risk management issue
and not an IT issue.
● Each member of the board must have a good understanding of
basic cybersecurity principles.
● Manage security programs and supervise security departments.
● Develop strategies to handle security incidents
● Provide leadership, training and guidance to staff members.
● Connect organizational requirements with security goals.

7. What do you think companies can do better today to protect

themselves from cyber breaches and in their post-breach
response?
Investing more into the cybersecurity domain and training more staff
members to prevent attacks like phishing. Some of the most common
reasons for breaches is social engineering attacks where the
employees end up being the starting point of failure. For example in
2020, hackers got access to insider administrative tools of Twitter by
bribing specific employees. Attackers impersonated multiple celebrities
on Twitter and were able to receive 100k worth of dollars in Bitcoin at
the time. This is why cybersecurity is seen as a risk management issue
because a breach is never 100% preventable, and our duties lie in how
we manage such risks.
In the case of a post-breach scenario, companies should be allowed to
slightly delay the announcement of their statements and should focus
more on the repair of damages in order to represent their damages
accurately in their statements.