Autopsy of a Data Breach: The Target Case
RISK MANAGEMENT ON DATA BREACHED CAUSES TARGET SECURE ACCESS TO THE SYSTEMS BY HAVING A SEGMENTED NETWORK.
The data breach at Target partly came from the failure of the retailers to appropriately separate the systems dealing with sensitive payment card data from the rest of the network. Hackers broke into the network of the retailers through the use of login identifications which were taken from the heating, ventilation, and air conditioning organizations working for target in several places. The attackers got access given by the Fazio-credentials to undertake activities on the target network undetected and also upload malware programs on the POS System of the company. They managed to steal about $40M credit and debit card data. The company allowed third-party access to their network and it failed to secure access to the systems. Target gave Fazio access, but it should have segmented its networks to make sure that Fazio or any other person doesn’t have access to the payment system/ database.
RISK FACED BY TARGET COMPANY — VALIDATE PROCESS, RECONCILE, DATA CONSOLIDATION, INFORMATION UNAVAILABILITY, AND CONFIDENTIALITY VULNERABILITIES.
A complex database computer system requires complex controls and security measures. The main risk is the company’s process to validate, reconcile, and consolidate data (VRC). Other risks include information unavailability and confidentiality vulnerabilities. The risk of unauthorized access was the risk that played such a big role in Target’s breach. Penetration testing may help identify and prioritize security risks.
The role Internal Audit plays in the testing of controls has become extremely critical, particularly in light of the many technological changes that have resulted in Enterprise Resource Management (ERM) database systems, that are shared by not only all divisions and subsidiaries of a company, but also, in part, with third parties, such as customers and vendors. This interconnectedness of systems leads to concerns about improper access to confidential information. The Internal Audit profession is well aware of the growing risk of and consequences associated with data breaches. Retailing companies, with their system linked to those of vendors, credit card companies, and other external parties, can easily be penetrated through one of these third-party networks, which is linked to theirs. In the case of Target, the hackers gained access to the 40 million customers’ data by using the credentials of one of Target’s vendors.
PROCEDURES TO DISCOVER THE SYSTEM’S VULNERABILITY; TESTING THE NETWORK AND ITS APPLICATIONS AND CHECK PASSWORDS FOR SENSITIVE ACCOUNTS STORED IN ENCRYPTED FILES
● Testing the network and its applications for possible intrusions and vulnerabilities; Performed by using logs of network activity to look for anomalies such as failed log-in attempts, the unexpected volume of traffic between systems, sudden activity, or volume in one specific account.
● Check that passwords for sensitive accounts stored in encrypted files; Determine the change management procedures used about system software, application systems, and data, i.e., ensure adequate separation of duties so that the programmer who develops the difference does not update the actual policy, preferably someone in the operations updates program after the programmer’s supervisor has approved it. It is critical to prevent all types of fraud; Since so many transactions are being done using many types of mobile devices, a test that encryption used for things such as phones, tablets, and others.
THE NEGATIVE IMPACT BREACHED ON TARGET — DECLINING STORE TRAFFIC AND CONSUMERS, CUSTOMER SATISFACTION, AND CUSTOMER SERVICE DECLINE DUE TO CREDIT BREACH.
● Target is battling declining store traffic and consumers reluctant to buy from target.
● Satisfaction with overall shopping experience drop-down almost 2 % points in March.
● Customer service dropped 3.3 % points to 71%; High-income shoppers drop 9% points to 70%.
● Declined in customer service is due to the credit breach, but could be related to Target’s ongoing efforts to control expenses amid declines in traffic and sales.
THE POSITIVE IMPACT BREACHED ON TARGET — ATTRACT MORE CUSTOMERS WITH THE SECURE SYSTEM THE HAVE INSTALLED
● Target Makes a Comeback One Year After Security Breach
● The company tends to attract more customers because of the secure-system they have launched after the breached.
● They gain customer’s trust to earn back their business through:
1. Credit or identity monitoring services for those affected
2. Provide a cyber-security webinar for your customers that provides tips about how to protect themselves from hackers.
3. Send a message to your email list, highlighting your pledge to improve cyber-security. Include a list of all the security updates you’ve made, and continue to follow up as you meet additionally stated objectives.
4. React quickly and be forthcoming with information. Use your website and social media to reach beyond your regular audience.
STEPS TO PREVENT A DATA BREACH BY PERFORMING ORGANIZATION-WIDE RISK MANAGEMENT ACTIVITIES ON A REGULAR BASIS
● PCI compliance alone is not a risk management strategy
● Vulnerabilities and Threats for all systems, not just those within scope for compliance audits, are identified.
● Threats and vulnerabilities are then prioritized and fixed to limit risk to an acceptable level.
● Constant re-evaluation is required as the threat landscape is always changing.
● Businesses need to employ an adequate number of security professionals who understand the business, the risks, and the potential loss.
● Security staff needs to be vigilant to understand new potential threats and vulnerabilities when they appear.’
LESSONS -EMV TECHNOLOGY IS NOT ENOUGH TO STOP FRAUD, NETWORK SEGMENTATION IS A NECESSITY, THIRD-PARTY COMPLIANCE, RETAILERS MAY BE LIABLE, CYBER THREAT INTELLIGENCE SHARING MUST IMPROVE.
Lessons can be drawn from this case —
● EMV Technology Alone Is Not Enough to Stop Fraud
● Network Segmentation Is a Necessity
● Third-Party Oversight Is Part of Compliance
● Log Monitoring Needs Analytics
● Executives, Boards Are Accountable
● Retailers May Be Liable for Breaches
● Cyberthreat Intelligence Sharing Must Improve
We can conclude a few things from this: Target’s systems were not protected and vulnerable to phishing attacks, networks were not adequately segregated, and several previous warnings were overlooked. What is interesting to consider about the Target data breach is the fact that Target passed PCI compliance audits prior to the breach.
Each asset has a specific set of threats and vulnerabilities that can be considered as part of a risk management program, rather than simply implementing what is mandated for a subset of assets.