In early December of 2013, internal analysts at the retail giant detected evidence of an intrusion into the company-wide Point of Sale (POS) system. The massive, networked system that controlled every single register at every single store had been compromised by a Windows-based memory scraper dubbed “Reedum” capable of capturing and retransmitting every card transaction processed through the register.
For five days Target IT staff consulted with the Department of Justice and frantically tried to track and expunge the malware, leaving customers in the dark.
Then the story broke.
The Biggest Credit Card Hack in History was Right on Target
The bad news for Target unfolded slowly, with damaging headlines appearing for months.
Although the company first maintained that very few cards had been compromised in the attack, sales immediately took a hit. By December 22, Target recorded year over year holiday transactions were down 4 percent in what is usually the most profitable season for the retail sector.
It wasn’t until early January that the company admitted that some 70 million cards had been compromised, and many customers had also had email and other personal information stolen.
Business plummeted. By late January, 475 headquarters staff were laid off and 700 other positions were left unfilled. By February, costs from the breach topped $200 million. In May, CEO Gregg Steinhafel resigned.
Two years later, the company was forced to pay almost $120 million to cover costs associated with the theft– making payments to banks, credit card companies, and consumers.
It was the largest retail credit card hack in history– at least, until the next year, when hackers hit Home Depot even harder.
Such are the stakes for cybersecurity professionals working in the retail sector. Massive volumes of valuable credit card and personal information combined with tight margins make retail stores a valuable target for hackers.
The demand for experienced information security professionals in the retail sector spiked as retailers scrambled to avoid similar fiascos.
Corporate Secrecy Makes Life Harder for Retail Cybersecurity Analysts
To this day, Target has refused to provide an official accounting to the public of what exactly happened during the two weeks that hackers ran rampant inside their network.
This inclination toward secrecy runs deep in the competitive retail environment. It also makes life much more difficult for information security professionals intent on working together freely across corporate boundaries to learn from each other and understand what precedents have already been established– hackers, after all, have to obey no such strictures.
As plummeting sales at Target demonstrated, though, companies aren’t wrong to fear decreased consumer confidence in the wake of attacks. According to IBM’s Security Intelligence website, one retailer’s profits dropped by almost half one quarter after the company revealed a major breach.
Data breaches at retailers actually only account for about 6 percent of the total number of breaches that take place in the United States each year. However, when popular retail brands like Target and Home Depot are affected, it’s name recognition that pushes the story into the nightly news.
But despite the risks, the retail industry is beginning to close ranks against data thieves. In 2014, the Retail Industry Leaders Association launched a new program called the Retail Cyber Intelligence Sharing Center. Founding members of the consortium included Neiman Marcus, Michaels, and, yes, Target.
From Securing the Till with Chip Card Readers to Building Layered Network Security Protocols
Many improvements in retail security are being driven not be retailers themselves but by the credit card industry, which initially is on the hook for fraudulent card activity resulting from breaches at the retail level. 2015 saw a major shift in cybersecurity as most credit and debit cards in the United States finally moved to the on-card chip technology that had long proven a successful deterrent to fraud overseas.
Retail stores are still responsible for implementing the chip card readers, however, and many of them, citing the expense (up to $2000 per machine), continue to drag their feet.
Retailers have their own bone to pick with card issuers: retail cybersecurity professionals have long advocated for card companies to stop requiring stores to retain transaction data (including card numbers), as is currently the case. Information security professionals believe that retail stores would be far less vulnerable if they were allowed to simply keep an encrypted key referencing the transaction instead of the raw data itself.
Traditionally, cybersecurity professionals have focused much of their efforts on controlling internal threats—a dirty little secret of data breaches are that as much as 43 percent are committed by employees, not outside actors.
But in retail, 83 percent of attacks come from outside the company, making network security – not just point of sale security – the most important place to focus attention. This requires deep defenses, not just a reliance on perimeter firewalls. As Target learned, once the hackers got inside, there were no further obstacles between them and the POS devices and corporate databases that they eventually scraped clean.
Another lesson from the Target attack was to be wary of partners. Initial access to the Target network came via a small heating and air conditioning company called Fazio Mechanical who serviced some Target locations. Fazio has only around 125 staff. The company had little defense against a phishing attack that compromised their network, and it was only a matter of months before the hackers had the VPN (Virtual Private Network) credentials that Fazio technicians used to log in to Target.
Why staff from an air conditioning company had credentials that let them directly into the heart of a major retail wide area network is a question that will keep cybersecurity professionals scratching their heads for years to come. But the scenario is not particularly unusual for companies without strong, layered information security protocols.
Both companies employed routine anti-virus and malware detection but, as is often the case, that alone was insufficient to detect the attack.
Cybersecurity Pros Spend More Time Reading the Tea Leaves in the Wake of Big Breaches
Another major failing at Target was detection. Not only were the attackers not stopped by internal security systems, but they were allowed to run rampant inside the network for two weeks before being noticed. This allowed them to not only install harvesting malware on POS devices, but also to access internal databases, which contained years and years of historical records. All that extra time exposed customers who hadn’t shopped at the retailer in years, seriously damaging trust in the brand.
Today, retail cybersecurity experts are becoming more proactive in every aspect of network security. Not only are they engaging outside agencies to conduct aggressive penetration testing to look for holes before hackers can find them, they are also increasingly deploying sophisticated log-monitoring and network request scanning to track anomalous activity and bring it to the attention of investigators.