Home > Property & Casualty > Target data breach: the cost increases as investigation continues

Target data breach: the cost increases as investigation continues

texasbreachIn the weeks following the Target data breach, we continue to learn of new exposures that may be falling on deaf ears. As a nation, we have become rather desensitized to the influx of data breaches. The number of large-scale security breaches has grown so steadily over the last several years that we are all starting to dismiss these events as “yet another breach”. But the Target case reminds us that risks change continuously, and that we  ignore emerging risks at our businesses’ peril.We need to stay attuned to the risks that this data breach presented and to make sure that we ask questions and vigilantly review risk management practices.

Recent reports indicate that the data breach impacted over 100 million records, involved over 40 million credit and debit card numbers, and personal data from over 70 million customers. It’s also expected that the associated costs will approach $1 billion. It may finally prompt the U.S. to adopt the “chip and PIN” payment cards that have been in use in Europe for years (at a significant cost to the industry).

The breach occurred after hackers gained access to Target’s network by stealing the access credentials of a refrigeration contractor in Pennsylvania who was working with Target. The HVAC contractor confirmed that it had a data connection with Target for electronic billing, contract submission and project management. After entering the system from that connection, the hackers moved through Target’s entire system, eventually accessing the system that handled payments at the company’s cash registers.

The information was taken from magnetic stripes, which is valuable on the black market. This “track data” allows criminals to create counterfeit cards by encoding the information onto any card with a magnetic stripe. The hackers were also able to intercept PIN codes, gaining access to victims’ ATM accounts as well. Additional information was reportedly stolen as well, including specifically names, addresses, phone numbers and/or email addresses.

CFO John Mulligan defended the company in  testimony before Congress, claiming that Target executives had only recently learned about the malicious malware in its systems, and that the company had passed a credit card protection compliance audit in late 2013. However, some speculate that the company failed to keep its network fully secured. The company has since moved to isolate different platforms and networks to make it more difficult for hackers to move between them.

Still, the whole situation begs the question; why would an HVAC contractor have credentials for any Target networks at all? And why would those credentials provide access to Target’s payment network?

The answer to the first question will increasingly come, in part, from the new risks posed by the “Internet of Things”. We are rapidly moving into a world where everything is connected to the Internet. This includes cars, security systems, refrigeration systems, lighting systems, alarm systems, power plants, fire control systems, alarm systems, medical systems, traffic management systems, navigation systems, and… yes, HVAC systems. All of these Internet-connected devices provide a cornucopia of targets to hackers around the world.

These devices pose new risks because, as any security professional knows, once you connect a device to the Internet, it will be scanned for vulnerabilities within minutes. In 2012, an anonymous researcher spent five months methodically scanning the entire Internet for vulnerabilities. He found 1.3 billion devices and observed the following: As a rule of thumb, if you believe that “nobody would connect that to the Internet, really nobody”, there are at least 1000 people who did. Whenever you think “that shouldn’t be on the Internet but will probably be found a few times” it’s there a few hundred thousand times. Like half a million printers, or a Million Webcams, or devices that have root as a root password. In early 2013, HD Moore, Chief Research Officer for Rapid7, ran his own scan of the entire Internet over a few months, and found over 100,000 devices with no security at all connected to the open Internet, including traffic lights and fuel pumps. Then, in mid-2013, University of Michigan researchers launched Zmap, a tool that allows a complete scan of the entire Internet in just 45 minutes. The fantasy technology we have all watched in science fiction and spy movies is rapidly becoming reality.

But clearly this new risk is not the entire story here. An Internet-connected HVAC system that’s properly secured and not connected to a payment network would not have triggered problems on this scale. The attack leveraged at least two other factors.
The oldest risk of all is people – they remain the weakest link in any security system. It is easy to visualize how a hacker impersonating a Target IT or security staffer could have contacted an HVAC contractor’s employee (or contractor) and obtained his or her credentials under false pretenses. New risk, facilitated by old risk.

Other complex factors will surely come to light as we learn more about this breach. For example, was the PCI DSS 8.3 requirement that remote access require two-factor authentication followed? Would it have mattered? If you can social-engineer a contractor into providing a user name and password, you can also probably obtain a one-time token.

For more information about how such complex risks can affect your business, and about how you can help mitigate those risks and the financial liabilities they may cause,  we encourage you to contact WGA team.

About the contributing authors

Ann Mizner McKay is the General Counsel and Senior Vice President at WGA. She manages the legal affairs of the company and also serves as the Claims Practice Leader for WGA.  She has extensive experience and knowledge in various types of risks including technology, healthcare, business service, environmental, energy, life sciences, financial institutions and other business risks.

617.646. 0238 | AMiznermckay@wgains.com | Connect on LinkedIn

Alain Marcuse, CISSP,  is Vice President of Information Technology at WGA. As the leader of the firm’s IT organization, he oversees the firm’s internal and client-facing systems, and is responsible for ensuring data security and all customer privacy information.

617.646.0256 | AMarcuse@wgains.com | Connect on LinkedIn

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s