CASE ANALYSIS

CYBER BREACH AT TARGET

Group-1
Saumya Gupta
Saumya Jalan
Shriya Kaul
Rounak Agarwal
Harshvardhan
Kartik Bhalla
Amandeep Prasad
Badami Naman Abhaykumar
TARGET CO.
• Aimed to combine best of fashion world with the
best of discount world
• Operated 1919 stores in USA and Canada
• Had revenues of over $ 72 billion, reflecting a
2.8% CAGR in the past 5 years
Details
• Personal and credit card details of 110 million
customers were stolen leading to the 2nd largest data
breach in American history

• Took place between 27th November and 18th December

2013

• A phishing email was sent to Target’s vendor, Fazio

Mechanical Services which had remote access to
Target’s network.
 Aftermath
• The share price of Target fell down drastically by
8.8% and the sales fell 6.6%
• Target had to settle with Visa for $67 million and
for roughly $40 million with Master card.
• Target had to spend roughly $290 million in costs
related to the breach and expected a
reimbursement of $90 million from insurers.
TIMELINE OF THE ATTACK
Target confirms breach
and removes most
Target FirstEye alerts malware
certified as triggered but
ignored DOJ
PCI-DSS notifies
Target Target
Timeline 2 Dec 12 Dec 15 Dec

Sept
2013
11-12 15-28 30 Nov 2-15 Dec
Nov Nov
Attacker
Attackers Attackers Malware fully Timeline
steal Fazio breach Target installed and
credentials Network data Attackers start
exfiltration exporting data to
Malware tested
malware external server in
on Target POS
Russia
ANNOUNCEMENTS BY TARGET

Target CEO posted on website

and sent emails to customers
about PIN numbers being not
compromised Target Target announces
confirms PIN other personal
information information also
being stolen been stolen
Target posted 10%
on its discount
corporate offered
website

Dec 21-Dec Dec 27 Jan 10

Dec 19 Dec 20 22
 KILL CHAIN ANALYSIS

Reconn
Weapo Command Actions on
aissanc Delivery Exploitation Installation And Control Objectives
nization
e
MISTAKES

MISTAKE #1 | SEPT 2013

• Fazio, one of ventilation providers, used
“Malware Anti-Malware”, a free version

Mistake #2 | Sept 2013

• No investigations undertaken after Target’s
security team identified vulnerabilities in the
firm’s payment card systems and cash registers.
• Route between Fazio’s Network and Target’s
Payment Network. (NOT DESIRABLE !)
 MISTAKE #3 | NOV 2013
•Carless attitude of Target’s in-house security team
when FireEye Inc. raised an alert.
•No response by the US team as they thought it to
be a false-positive under the name of
“malware.binary”

Mistake #4 | Dec 2013

• Absolutely NO RESPONSE by the US security
team, Minneapolis when the Bangalore team,
FireEye Inc. raised an alert.
• This alert was about the malware exporting
credit card data to the hackers in real time.
MISTAKE #5 | DEC 2013
•Target’s security team had turned off the feature
of auto-killing the malware.
•It is unclear as to who switched off the default
feature.
HOW COULD TARGET INC.
AVOID BEING TARGETED ?
•The attack on Target went unnoticed for 18 days !
•Use of PCI DSS 2.1 standards. (Uncertainty if Target
was even compliant with PCI 2.0)
•Elimination of unneeded default accounts, which the
hackers utilized to access the most sensitive parts of
Target’s network.
•Hiring some of Norton, McAfee and Avast to
generate some malicious software in order to check
if the current system is prone to attacks.
ACTIONS TAKEN
•Target executives were called to testify before the
Senate Judiciary Committee and the Senate Commerce,
Science, and Transportation Committee. The
committees released a report how Target missed
numerous opportunities to stop attack.
•In the aftermath of breach Target had 81 consumer
cases, 28 bank cases, and 4 shareholder cases filed and
pending before various courts.
•Customers had to go through lot of hardships due to
delay in discovering the breach which allowed hackers
to continue stealing credit and debit card information.
•In November 2015, Target agreed to a settlement for
consumer losses and notified 61 million people making
them eligible to recover up to $10000 for their
documented expenses.
• Visa, Mastercard, and other financial institutions
also filed lawsuit against Target as they had to
bear additional cost from reassuring cards,
reimbursing customers against unauthorized
charges and adding staff to provide customer
care.
• Shareholders of target filed derivative lawsuits
against all directors on the firm’s and against the
CFO and CIO who were alleged for failing to
implement internal controls to protect consumer
data and report the breach in timely manner.
• In its defense, Target board issues a letter
assuring shareholders that it took their
responsibility seriously by stating investment
they made in their information security. They
offered free credit monitoring services for
everyone impacted.
ACCOUNTABILITY
FAZIO MECHANICAL SERVICES:
• The security product used, “malwarebytes anti-malware” explicitly
prohibited corporate use. This was a loophole in the vendor ’s
security management.
TARGET SECURITY TEAM :
• Identified vulnerabilities in fazio’s payment card system but didn’t
do further investigation.
• Presence of a route between an outside contractor and network for
payment data.
• The fireeye team initially raised an alert of an attack after the black
friday sale which they didn’t respond to.
• The system had an automatic feature to turn off once it detects any
malware but this was turned off.
• Ignored alerts raised by visa, mastercard and other financial
institutions.
CIO:
• There were questions raised if the former CIO
was qualified for the role in comparison to the
newer one.
Management:
• The management absolutely missed the
warnings from the company’s anti-intrusion
software and gave higher priority to Black
Friday sale.
THANK YOU