target data breach case study ppt

• Harvard Business School →
• Faculty & Research →
• July 2016 (Revised January 2019)
• HBS Case Collection

Cyber Breach at Target

• Format: Print
• | Language: English
• | Pages: 32

About The Authors

Suraj Srinivasan

Lynn S. Paine

Related work.

• February 2018
• Faculty Research
• Cyber Breach at Target  By: Suraj Srinivasan and Lynn Paine
• Cyber Breach at Target  By: Suraj Srinivasan, Lynn S. Paine and Neeraj Goyal

Brought to you by:

Autopsy of a Data Breach: The Target Case

By: Line Dube

This case revisits the events in late 2013 that gave rise to what was at the time the largest breach of confidential data in history. Indeed, on December 19, 2013, Target announced that its computer…

• Length: 8 page(s)
• Publication Date: Mar 1, 2016
• Discipline: Information Technology
• Product #: HEC130-PDF-ENG

What's included:

• Teaching Note
• Educator Copy

$4.95 per student

degree granting course

$8.95 per student

non-degree granting course

Get access to this material, plus much more with a free Educator Account:

• Access to world-famous HBS cases
• Up to 60% off materials for your students
• Resources for teaching online
• Tips and reviews from other Educators

Already registered? Sign in

• Student Registration
• Non-Academic Registration
• Included Materials

This case revisits the events in late 2013 that gave rise to what was at the time the largest breach of confidential data in history. Indeed, on December 19, 2013, Target announced that its computer network had been infiltrated by cybercriminals who stole 40 million debit and credit card numbers as well as the personal information of some 70 million additional customers. The case presents the cybercriminals' activities leading up to the breach, details of the commission of the theft, the measures that Target had put in place to deter such attacks, its ill-fated response during the attack and, finally, the impact of the breach on Target as well as on the retail industry as a whole.

Learning Objectives

The case allows students to: - familiarize themselves with the basic vocabulary related to information security; - understand how threats can materialize, resulting in a major data breach (approaches and actors); - identify the vulnerabilities of a business (by analyzing and understanding the different sources of risk); - become aware of the fact that humans continue to be the weak link in the chain of information security; - understand the principal control measures a business can deploy to protect itself; - identify and understand the specific issues raised by information security, notably in a digital business environment.

Mar 1, 2016

Discipline:

Information Technology

Geographies:

United States

Industries:

Retail trade

HEC Montreal Centre for Case Studies

HEC130-PDF-ENG

We use cookies to understand how you use our site and to improve your experience, including personalizing content. Learn More . By continuing to use our site, you accept our use of cookies and revised Privacy Policy .

Anatomy of the Target data breach: Missed opportunities and lessons learned

Target's infamous data breach happened just over a year ago. Are we any the wiser? Have lessons been learned? Although not every detail has been made public, experts have developed an unofficial attack timeline that exposes critical junctures in the attack and highlights several points at which it could have been stopped.

The attack started on November 27, 2013. Target personnel discovered the breach and notified the U.S. Justice Department by December 13th. As of December 15th, Target had a third-party forensic team in place and the attack mitigated. On December 18th, security blogger Brian Krebs broke the story in this post . "Nationwide retail giant Target is investigating a data breach potentially involving millions of customer credit and debit card records," mentioned Krebs. "The sources said the breach appears to have begun on or around Black Friday 2013 -- by far the busiest shopping day the year."

Then things became interesting. Target informed about 110 million credit/debit-card wielding shoppers, who made purchases at one of the company's stores during the attack, that their personal and financial information had been compromised. To put that in perspective, the attackers pilfered 11 gigabytes of data.

Anatomy of the attack

Now let's look at the sequence of events that precipitated the data breach. Had any of these steps been noticed and countered, the attack would likely have fallen apart.

1. Preliminary survey We don't know for certain if or how the attackers performed reconnaissance on Target's network prior to the attack, but it wouldn't have required much more than a simple internet search.

Teri Radichel in this GIAC (GSEC) dissertation explains how the attackers may have gleaned information about Target's infrastructure. "Reconnaissance would have revealed a detailed case study on the Microsoft website describing how Target uses Microsoft virtualization software, centralized name resolution, and Microsoft System Center Configuration Manager to deploy security patches and system updates," writes Radichel. "The case study also describes Target's technical infrastructure, including POS system information."

The internet provides additional clues. "A simple Google search turns up Target's Supplier Portal, which includes a wealth of information for new and existing vendors and suppliers about how to interact with the company, submit invoices, etc.," adds Krebs in this blog post . After drilling down, Krebs found a page listing HVAC and refrigeration companies.

2. Compromise third-party vendor The attackers backed their way into Target's corporate network by compromising a third-party vendor. The number of vendors targeted is unknown. However, it only took one. That happened to be Fazio Mechanical, a refrigeration contractor.

A phishing email duped at least one Fazio employee, allowing Citadel , a variant of the Zeus banking trojan, to be installed on Fazio computers. With Citadel in place, the attackers waited until the malware offered what they were looking for -- Fazio Mechanical's login credentials.

At the time of the breach, all major versions of enterprise anti-malware detected the Citadel malware. Unsubstantiated sources mentioned Fazio used the free version of Malwarebytes anti-malware, which offered no real-time protection being an on-demand scanner. (Note: Malwarebytes anti-malware is highly regarded by experts when used in the correct manner.)

Chris Poulin, a research strategist for IBM, in this paper offers some suggestions. Target should demand that vendors accessing their systems use appropriate anti-malware software. Poulin adds. "Or at least mandate two-factor authentication to contractors who have internal access to sensitive information."

3. Leveraging Target's vendor-portal access Most likely Citadel also gleaned login credentials for the portals used by Fazio Mechanical. With that in hand, the attackers got to work figuring out which portal to subvert and use as a staging point into Target's internal network. Target hasn't officially said which system was the entry point, but Ariba portal was a prime candidate.

Brian Krebs interviewed a former member of Target's security team regarding the Ariba portal, "Most, if not all, internal applications at Target used Active Directory (AD) credentials and I'm sure the Ariba system was no exception," the administrator told Krebs. "I wouldn't say the vendor had AD credentials, but internal administrators would use their AD logins to access the system from inside. This would mean the server had access to the rest of the corporate network in some form or another."

Poulin suggests several attack scenarios, "It's possible that attackers abused a vulnerability in the web application, such as SQL injection, XSS, or possibly a 0-day, to gain a point of presence, escalate privileges, then attack internal systems."

Not knowing the details, makes it difficult to offer a remediation for this portion of the attack. However, Poulin opines that IPS/IDS systems, if in place, would have sensed the inappropriate attack traffic, notifying Target staff of the unusual behavior. According to this Bloomberg Business article , a malware detection tool made by the computer security firm FireEye was in place and sent an alarm, but the warning went unheeded.

4. Gain control of Target servers Again, Target hasn't said publicly how the attackers undermined several of their internal Windows servers, but there are several possibilities.

Radichel in the SANS dissertation offers one theory. "We can speculate the criminals used the attack cycle described in Mandiant's APT1 report to find vulnerabilities," mentions Radichel. "Then move laterally through the network... using other vulnerable systems."

Gary Warner, founder of Malcovery Security, feels servers fell to SQL-injection attacks. He bases that on the many similarities between the Target breach and those perpetrated by the Drinkman and Gonzalez data-breach gang which also used SQL injection.

5. Next stop, Target's point of sale (POS) systems This iSIGHT Partners report provides details about the malware, code-named Trojan.POSRAM, used to infect Target's POS system. The "RAM-scraping" portion of the POS malware grabs credit/debit card information from the memory of POS-devices as cards are swiped. "Every seven hours the Trojan checks to see if the local time is between the hours of 10 AM and 5 PM," mentions the iSIGHT Partners report. "If so, the Trojan attempts to send winxml.dll over a temporary NetBIOS share to an internal host (dump server) inside the compromised network over TCP port 139, 443 or 80."

This technique allowed attackers to steal data from POS terminals that lacked internet access.

Once the credit/debit card information was secure on the dump server, the POS malware sent a special ICMP (ping) packet to a remote server. The packet indicated that data resided on the dump server. The attackers then moved the stolen data to off-site FTP servers and sold their booty on the digital black market.

Lessons learned

As a result of the breach, Target has tried to improve security. A corporate webpage describes changes made by the company regarding their security posture, including the following:

• Improved monitoring and logging of system activity
• Installed application whitelisting POS systems and
• Implemented POS management tools
• Improved firewall rules and policies
• Limited or disabled vendor access to their network
• Disabled, reset, or reduced privileges on over 445,000 Target personnel and contractor accounts
• Expanded the use of two-factor authentication and password vaults
• Trained individuals on password rotation

If these changes have been implemented as Target describes, they would help address the weaknesses exploited during the attack.

However, the attackers demonstrated extraordinary capabilities by exfiltrating data from a complex retail network as noted in this paper (courtesy of Brian Krebs) by Keith Jarvis and Jason Milletary of Dell SecureWorks Counter Threat Unit, which makes their conclusion all that more poignant. "This level of resourcefulness points to the current value for credit-card data in the criminal marketplace," mentions the paper. "And similar breaches will be common until fundamental changes are made to the technology behind payment cards."

Android 15 unveiled: Here are 8 exciting (or handy) features coming to your phone

Meet hackbat: an open-source, more powerful flipper zero alternative, stanford's vr breakthrough could spell the end of clunky headsets - thanks to ai.

Quick Links

• Leadership Donors

Case Study: Cyber Breach at Target

Engage With Us

Join Our Community

Ready to dive deeper with the Digital Data Design Institute at Harvard? Subscribe to our newsletter, contribute to the conversation and begin to invent the future for yourself, your business and society as a whole.

Payment Acceptance

Accept payments with CardPointe

POS powered payments 

Ecommerce solutions

CardPointe payment gateway integration

On-the-go payments

Payment acceptance for existing software

Online payments page

CardPointe's browser-based POS system

Point-of-Sale(POS)

Customized hardware solutions 

Payment machines

• Sub Menu Item 3 of 6, Value-add Solutions

Integrated payment solutions

Data protection via CardSecure

Tracking & reporting tools

Sales Agent & ISOs

Sell merchant services

Partner portfolio management

• Sub Menu Item 3 of 6, Merchants

Accept credit card payments

• Sub Menu Item 5 of 6, ISVs

Credit card payments integration

Conectados – English

Hispanic-focused selling program

• Sub Menu Item 2 of 5, Conectados Signup
• Sub Menu Item 3 of 5, Conectados – Spanish

Programa de ventas enfocado en hispanos

• Sub Menu Item 5 of 5, Conectados Inscribirse

Professional Tools & Learning

Knowledge center for current partners 

Integration support

Blog resources for payments tips

Calculate business startup costs

• Level 1 menu, Item 4 of 5, About Us
• Sub Menu Item 1 of 3, CardPointe
• Sub Menu Item 2 of 3, CoPilot
• Sub Menu Item 3 of 3, BluePay

Case Study: What We've Learned from the Target Data Breach of 2013

May 19, 2023.

In 2013, the infamous Target data breach swept through America, compromising a devastating number of point-of-sale systems and along with it, over 40 million credit and debit card numbers. Four years later in 2017, Target reached an  18.5-million dollar multistate settlement , requiring they employ an executive to oversee a comprehensive data security program. The company was also required to hire a third-party which will encrypt and protect card information, ensuring their data is secured and unreadable if accessed.

Target has since been adopting appropriate measures to keep their customers’ information safe – but it’s important to learn from where they went wrong. So what was Target lacking before? We’ve compiled a comprehensive autopsy: here's our case study, diagnosing several factors and components which led to Target’s massive security breach.

What exactly happened in the Target security breach?

According to  Krebs on Security , who first reported the news, the breach involved the acquiring of customer information (encrypted PIN data, customer names, credit and debit card numbers, card expiration dates) stored in the magnetic stripe on the back of their payment cards. Undetectable malware was installed on a number of point-of-sale systems in a short amount of time, which indicates the software may have been installed via an automatic updating process. Since this breach, the U.S. has adopted  EMV technology , which would have prevented hackers from acquiring information via the magnetic stripe (in other words, their malware would not have affected the chipcard). The perpetrators completed their attack by accessing one of Target’s third-party vendors, a refrigerator contractor, Fazio Mechanical. The vendor accessing Target’s systems was not using adequate anti-malware software, and their lack of segregation between networks led to the compromise of millions of customers’ information.

We can conclude a few things from this:

• Target’s systems were not protected and thus were vulnerable to phishing attacks
• Networks were not adequately segregated
• Several previous warnings were overlooked

What’s interesting to consider about the Target security breach is the fact that Target passed PCI compliance audits prior to the breach and had implemented security methods required by the  PCI Security Council .

In a case study on the Target data breach, the  SANS Institute Reading Room  reacted with this statement, “A comprehensive approach to security will consider all assets, not just those that fall under compliance regulations. Each asset has a specific set of threats and vulnerabilities that can be considered as part of a risk management program, rather than simply implementing what is mandated for a subset of assets. As demonstrated in this breach, many different assets were used to move throughout the network, so consideration of the POS systems alone would not address the root causes that led up to this attack.”

What Target did wrong

How a company responds to a malware infection makes a considerable difference in how an attack may impact their customers and business. The Initial response is crucial to the minimizing of a malware attack, and is also one of the areas where Target underperformed.

Target missed several internal alerts, and only discovered their breach when contacted by the Department of Justice. Their monitoring software (FireEye) alerted Target staff in Bangalore, India, who in turn notified staff in Minneapolis: but no action was taken.

Despite the fact that Target reportedly spent a large sum on security technology utilizing encryption, their data was accessed in memory where it was unencrypted.

Damages to the company

While the effects of the breach are everlasting on Target’s security approach, the company faced major losses at the time of occurrence, setting them back greatly during the holiday season. After profits dropped 46 percent during Q4 of 2013, customer visits plunged during the new year, prolonging Target’s losses. High-ranking employees, including Target’s CEO, lost their jobs, and over 140 lawsuits were filed in three years. The  Huffington Post  estimates the breach had cost $252 million  before  the lawsuit, including the costs for banks to reissue 21.8 million cards.

How the data breach could have been prevented

A multi-layered security strategy would have prevented, if not at least mitigated the detrimental effects of this breach on Target and its customers.

Focusing on all vulnerabilities

Target’s strategy focused mainly on PCI compliance, while there are sometimes risks that fall outside of the scope of PCI requirements. Standards may also inform adversaries which security measures a business  has  implemented, so the attacker will capitalize on vulnerabilities not on the PCI compliance checklist.

Implementing tokenization

As also stated by the SANS Reading Room, “For encryption to be effective, you must employ an in-depth defense strategy in which you also protect the key and protect access to systems where the data needs to be unencrypted in order to be processed.”

In the instance of the Target breach, tokenization would have played a crucial role in protecting consumer information. Rather than relying on basic encryption methods, the customer information would have been replaced with unique, irreversible tokens – unable to be accessed and decoded by hackers.

Adapting EMV technology

As mentioned before, an EMV terminal accepting chip cards could have also prevented the theft of information via the magnetic strip on the back of cards. CardConnect’s  CardPointe  and  Bolt  P2PE terminals protect in-store transactions as all sensitive data is instantly encrypted and tokenized upon entry. The terminal accepts both cards with magnetic strips and EMV chips, utilizing PCI-validated point-to-point encryption (P2PE) for each individual transaction. All transactions captured with the CardPointe and Bolt P2PE terminals are captured in the powerful transaction management portal, CardPointe, in real-time, making it easy to accept and manage transactions. What’s also really important is that CardPointe also keeps its users apprised of the status of their business’s level of PCI compliance.

The final lesson of the Target data breach

It’s important for merchants to understand that the range of security threats can be wider than standard PCI compliance. Monitoring networks and being attentive to disruptive or unusual patterns in a system’s network is crucial to protecting their systems – and in turn, customer data. Target is just one of many companies to have faced a major data breach. Make sure your company or business is protecting your customers the best they can.

If you’d like to discuss how our security solutions can protect your business and customers, fill out the brief form below and our team will connect with you.

Your success in payments starts here! Please select your partnership type below so we can connect. 

Site Selector

Help | Advanced Search

Computer Science > Cryptography and Security

Title: breaking the target: an analysis of target data breach and lessons learned.

Abstract: This paper investigates and examines the events leading up to the second most devastating data breach in history: the attack on the Target Corporation. It includes a thorough step-by-step analysis of this attack and a comprehensive anatomy of the malware named BlackPOS. Also, this paper provides insight into the legal aspect of cybercrimes, along with a prosecution and sentence example of the well-known TJX case. Furthermore, we point out an urgent need for improving security mechanisms in existing systems of merchants and propose three security guidelines and defenses. Credit card security is discussed at the end of the paper with several best practices given to customers to hide their card information in purchase transactions.

Submission history

Access paper:.

• Other Formats

References & Citations

• Google Scholar
• Semantic Scholar

DBLP - CS Bibliography

Bibtex formatted citation.

Bibliographic and Citation Tools

Code, data and media associated with this article, recommenders and search tools.

• Institution

arXivLabs: experimental projects with community collaborators

arXivLabs is a framework that allows collaborators to develop and share new arXiv features directly on our website.

Both individuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them.

Have an idea for a project that will add value for arXiv's community? Learn more about arXivLabs .

Tell us about your project

Cyber Security: Target's 2013 Data Breach

This is the first in a series of case studies/blogs that will evaluate cyber security threats and failure, from the perspective of those in the electrical industry with an eye toward the future electrical power grid that will utilize advanced communications capabilities.

In 2013, Target Corporation’s (Target) security and payment system was breached, compromising 40 million credit and debit card numbers, along with 70 million addresses, phone numbers and other personal information [1].  Target was made aware of this situation in mid-December when the U.S. Department of Justice informed the company that their system was being attacked [2]. Target had received notifications prior to this date, but had failed to act.

The "hows" and the "whys"

Malware was installed on Target’s payment and security system on November 15, 2013. Access to the system came from network credentials that were stolen from an HVAC provider based in Sharpsburg, Penn.  Initial speculation was that this vendor was monitoring HVAC systems installed at Target facilities remotely via network connection and that this was the way hackers gained entry into Targets internal network. As it turned out, this was not the case [3]. The compromised data connection was being used for “electronic billing, contract submissions and project management” [4], not monitoring of equipment. The network credentials were, in fact, gathered after the HVAC contractor's employee fell victim to a phishing scheme attack and clicked on a malicious email [5].

Target was not unprepared for the breach. Earlier that year, the company had installed malware detection software by computer security firm FireEye (high-profile FireEye customers include the CIA and Pentagon). The FireEye team in Bangalore, India monitored Target’s system around the clock, and reported the activity to Target’s security team based in Minneapolis, Minn. [6]. 

Exfiltration malware was installed on November 30, 2013 to move the stolen information out of the Target servers. These drop points were first staged around the U.S., then to computers in Russia. It was at this point that the Bangalore team became aware that something was wrong and notified the Target security team in Minneapolis. For reasons that are unclear, Target's Minneapolis team failed to act on the alert, allowing customer information to be compromised [7].

Points of failure and lessons learned

“Good security is a combination of protection, detection and response” [8]. Target had met its responsibilities of abiding by the industrial standards for payment cards [9] and had a well-respected security firm onboard, but this breach still occurred.

The initial reports on this story attracted the attention of many in the construction industry. Although, in this case, access to Target's credit card system did not come through HVAC unit, that scenario is not an improbable one. Remote monitoring of HVAC equipment is possible and future security incidents are not unlikely. 

The question becomes: “who is culpable?"  In this situation, the HVAC employee gave access to the system, but Target failed to act when they were altered by their security consulting firm. There is a danger in the security industry surrounding false alarms. Too many alerts cause people to stop paying attention, similar to the "crying wolf" phenomena. Sometimes, saying too little is better than saying too much. It is still unclear why no action was taken in Minneapolis by Target's security team.

To best protect themselves, a vendor in a service capacity needs to have a system in place to make sure their software meets current industrial standards. There is a significant danger in using poorly designed and executed software that is marketed beyond its capabilities. However, the greatest weakness in any security scheme will always be human beings. Humans choose bad passwords, configure software incorrectly, and click on malicious email links. Facility operators must make sure that the people interacting with their systems are aware of proper security procedures and understand the consequences of ignoring seemingly-benign alerts. After all, to err is human. 

• http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data
• https://www.schneier.com/blog/archives/2014/03/details_of_the_.html
• http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
• http://faziomechanical.com/Target-Breach-Statement.pdf
• http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target
• https://www.schneier.com/blog/archives/2014/01/ive_joined_co3.html

California License No. 174637

A General Engineering Contractor

B General Building

C-10 Electrical

C-46 Solar Power

© 2024 Cupertino Electric, Inc. All Rights Reserved.

Privacy Policy

We may use cookies to enhance your browsing experience. You can opt-out of by clicking Reject. Refer to our External Privacy Policy for more information