Anatomy of the Target data breach: Missed opportunities and lessons learned

zd-defaultauthor-michael-kassner.jpg

Target's infamous data breach happened just over a year ago. Are we any the wiser? Have lessons been learned? Although not every detail has been made public, experts have developed an unofficial attack timeline that exposes critical junctures in the attack and highlights several points at which it could have been stopped.

The attack started on November 27, 2013. Target personnel discovered the breach and notified the U.S. Justice Department by December 13th. As of December 15th, Target had a third-party forensic team in place and the attack mitigated. On December 18th, security blogger Brian Krebs broke the story in this post . "Nationwide retail giant Target is investigating a data breach potentially involving millions of customer credit and debit card records," mentioned Krebs. "The sources said the breach appears to have begun on or around Black Friday 2013 -- by far the busiest shopping day the year."

Then things became interesting. Target informed about 110 million credit/debit-card wielding shoppers, who made purchases at one of the company's stores during the attack, that their personal and financial information had been compromised. To put that in perspective, the attackers pilfered 11 gigabytes of data.

Anatomy of the attack

Now let's look at the sequence of events that precipitated the data breach. Had any of these steps been noticed and countered, the attack would likely have fallen apart.

1. Preliminary survey We don't know for certain if or how the attackers performed reconnaissance on Target's network prior to the attack, but it wouldn't have required much more than a simple internet search.

Teri Radichel in this GIAC (GSEC) dissertation explains how the attackers may have gleaned information about Target's infrastructure. "Reconnaissance would have revealed a detailed case study on the Microsoft website describing how Target uses Microsoft virtualization software, centralized name resolution, and Microsoft System Center Configuration Manager to deploy security patches and system updates," writes Radichel. "The case study also describes Target's technical infrastructure, including POS system information."

The internet provides additional clues. "A simple Google search turns up Target's Supplier Portal, which includes a wealth of information for new and existing vendors and suppliers about how to interact with the company, submit invoices, etc.," adds Krebs in this blog post . After drilling down, Krebs found a page listing HVAC and refrigeration companies.

2. Compromise third-party vendor The attackers backed their way into Target's corporate network by compromising a third-party vendor. The number of vendors targeted is unknown. However, it only took one. That happened to be Fazio Mechanical, a refrigeration contractor.

A phishing email duped at least one Fazio employee, allowing Citadel , a variant of the Zeus banking trojan, to be installed on Fazio computers. With Citadel in place, the attackers waited until the malware offered what they were looking for -- Fazio Mechanical's login credentials.

At the time of the breach, all major versions of enterprise anti-malware detected the Citadel malware. Unsubstantiated sources mentioned Fazio used the free version of Malwarebytes anti-malware, which offered no real-time protection being an on-demand scanner. (Note: Malwarebytes anti-malware is highly regarded by experts when used in the correct manner.)

Chris Poulin, a research strategist for IBM, in this paper offers some suggestions. Target should demand that vendors accessing their systems use appropriate anti-malware software. Poulin adds. "Or at least mandate two-factor authentication to contractors who have internal access to sensitive information."

3. Leveraging Target's vendor-portal access Most likely Citadel also gleaned login credentials for the portals used by Fazio Mechanical. With that in hand, the attackers got to work figuring out which portal to subvert and use as a staging point into Target's internal network. Target hasn't officially said which system was the entry point, but Ariba portal was a prime candidate.

Brian Krebs interviewed a former member of Target's security team regarding the Ariba portal, "Most, if not all, internal applications at Target used Active Directory (AD) credentials and I'm sure the Ariba system was no exception," the administrator told Krebs. "I wouldn't say the vendor had AD credentials, but internal administrators would use their AD logins to access the system from inside. This would mean the server had access to the rest of the corporate network in some form or another."

Poulin suggests several attack scenarios, "It's possible that attackers abused a vulnerability in the web application, such as SQL injection, XSS, or possibly a 0-day, to gain a point of presence, escalate privileges, then attack internal systems."

Not knowing the details, makes it difficult to offer a remediation for this portion of the attack. However, Poulin opines that IPS/IDS systems, if in place, would have sensed the inappropriate attack traffic, notifying Target staff of the unusual behavior. According to this Bloomberg Business article , a malware detection tool made by the computer security firm FireEye was in place and sent an alarm, but the warning went unheeded.

4. Gain control of Target servers Again, Target hasn't said publicly how the attackers undermined several of their internal Windows servers, but there are several possibilities.

Radichel in the SANS dissertation offers one theory. "We can speculate the criminals used the attack cycle described in Mandiant's APT1 report to find vulnerabilities," mentions Radichel. "Then move laterally through the network... using other vulnerable systems."

Gary Warner, founder of Malcovery Security, feels servers fell to SQL-injection attacks. He bases that on the many similarities between the Target breach and those perpetrated by the Drinkman and Gonzalez data-breach gang which also used SQL injection.

5. Next stop, Target's point of sale (POS) systems This iSIGHT Partners report provides details about the malware, code-named Trojan.POSRAM, used to infect Target's POS system. The "RAM-scraping" portion of the POS malware grabs credit/debit card information from the memory of POS-devices as cards are swiped. "Every seven hours the Trojan checks to see if the local time is between the hours of 10 AM and 5 PM," mentions the iSIGHT Partners report. "If so, the Trojan attempts to send winxml.dll over a temporary NetBIOS share to an internal host (dump server) inside the compromised network over TCP port 139, 443 or 80."

This technique allowed attackers to steal data from POS terminals that lacked internet access.

Once the credit/debit card information was secure on the dump server, the POS malware sent a special ICMP (ping) packet to a remote server. The packet indicated that data resided on the dump server. The attackers then moved the stolen data to off-site FTP servers and sold their booty on the digital black market.

Lessons learned

As a result of the breach, Target has tried to improve security. A corporate webpage describes changes made by the company regarding their security posture, including the following:

  • Improved monitoring and logging of system activity
  • Installed application whitelisting POS systems and
  • Implemented POS management tools
  • Improved firewall rules and policies
  • Limited or disabled vendor access to their network
  • Disabled, reset, or reduced privileges on over 445,000 Target personnel and contractor accounts
  • Expanded the use of two-factor authentication and password vaults
  • Trained individuals on password rotation

If these changes have been implemented as Target describes, they would help address the weaknesses exploited during the attack.

However, the attackers demonstrated extraordinary capabilities by exfiltrating data from a complex retail network as noted in this paper (courtesy of Brian Krebs) by Keith Jarvis and Jason Milletary of Dell SecureWorks Counter Threat Unit, which makes their conclusion all that more poignant. "This level of resourcefulness points to the current value for credit-card data in the criminal marketplace," mentions the paper. "And similar breaches will be common until fundamental changes are made to the technology behind payment cards."

I've used every iPad since the original. Here's my buying advice for the new 2024 models

5 ways to make your echo show less annoying, four reasons to buy the apple's 2024 ipad pro (especially if you own an older model).

case study 2 the target attack

Ten Years Later, New Clues in the Target Breach

On Dec. 18, 2013, KrebsOnSecurity broke the news that U.S. retail giant Target was battling a wide-ranging computer intrusion that compromised more than 40 million customer payment cards over the previous month. The malware used in the Target breach included the text string “ Rescator ,” which also was the handle chosen by the cybercriminal who was selling all of the cards stolen from Target customers. Ten years later, KrebsOnSecurity has uncovered new clues about the real-life identity of Rescator.

case study 2 the target attack

Rescator, advertising a new batch of cards stolen in a 2014 breach at P.F. Chang’s.

Shortly after breaking the Target story, KrebsOnSecurity reported that Rescator appeared to be a hacker from Ukraine. Efforts to confirm my reporting with that individual ended when they declined to answer questions, and after I declined to accept a bribe of $10,000 not to run my story.

That reporting was based on clues from an early Russian cybercrime forum in which a hacker named Rescator — using the same profile image that Rescator was known to use on other forums — claimed to have originally been known as “Helkern,” the nickname chosen by the administrator of a cybercrime forum called Darklife.

KrebsOnSecurity began revisiting the research into Rescator’s real-life identity in 2018, after the U.S. Department of Justice unsealed an indictment that named a different Ukrainian man as Helkern.

It may be helpful to first recap why Rescator is thought to be so closely tied to the Target breach. For starters, the text string “Rescator” was found in some of the malware used in the Target breach. Investigators would later determine that a variant of the malware used in the Target breach was used in 2014 to steal 56 million payment cards from Home Depot customers. And once again, cards stolen in the Home Depot breach were sold exclusively at Rescator’s shops.

On Nov. 25, 2013, two days before Target said the breach officially began, Rescator could be seen in instant messages hiring another forum member to verify 400,000 payment cards that Rescator claimed were freshly stolen.

By the first week of December 2013, Rescator’s online store — rescator[.]la — was selling more than six million payment card records stolen from Target customers. Prior to the Target breach, Rescator had mostly sold much smaller batches of stolen card and identity data, and the website allowed cybercriminals to automate the sending of fraudulent wire transfers to money mules based in Lviv, Ukraine.

Finally, there is some honor among thieves, and in the marketplace for stolen payment card data it is considered poor form to advertise a batch of cards as “yours” if you are merely reselling cards sold to you by a third-party card vendor or thief. When serious stolen payment card shop vendors wish to communicate that a batch of cards is uniquely their handiwork or that of their immediate crew, they refer to it as “our base.” And Rescator was quite clear in his advertisements that these millions of cards were obtained firsthand.

The new clues about Rescator’s identity came into focus when I revisited the reporting around an April 2013 story here that identified the author of the OSX Flashback Trojan , an early Mac malware strain that quickly spread to more than 650,000 Mac computers worldwide in 2012 .

That story about the Flashback author was possible because a source had obtained a Web browser authentication cookie for a founding member of a Russian cybercrime forum called BlackSEO . Anyone in possession of that cookie could then browse the invite-only BlackSEO forum and read the user’s private messages without having to log in.

case study 2 the target attack

BlackSEO.com VIP member “Mavook” tells forum admin Ika in a private message that he is the Flashback author.

The legitimate owner of that BlackSEO user cookie went by the nickname Ika , and Ika’s private messages on the forum showed he was close friends with the Flashback author. At the time, Ika also was the administrator of Pustota[.]pw — a closely-guarded Russian forum that counted among its members some of the world’s most successful and established spammers and malware writers.

For many years, Ika held a key position at one of Russia’s largest Internet service providers, and his (mostly glowing) reputation as a reliable provider of web hosting to the Russian cybercrime community gave him an encyclopedic knowledge about nearly every major player in that scene at the time.

The story on the Flashback author featured redacted screenshots that were taken from Ika’s BlackSEO account (see image above). The day after that story ran, Ika posted a farewell address to his mates, expressing shock and bewilderment over the apparent compromise of his BlackSEO account.

In a lengthy post on April 4, 2013 titled “I DON’T UNDERSTAND ANYTHING,” Ika told Pustota forum members he was so spooked by recent events that he was closing the forum and quitting the cybercrime business entirely. Ika recounted how the Flashback story had come the same week that rival cybercriminals tried to “dox” him (their dox named the wrong individual, but included some of Ika’s more guarded identities).

“It’s no secret that karma farted in my direction,” Ika said at the beginning of his post. Unbeknownst to Ika at the time, his Pustota forum also had been completely hacked that week, and a copy of its database shared with this author.

case study 2 the target attack

A Google translated version of the farewell post from Ika, the administrator of Pustota, a Russian language cybercrime forum focused on botnets and spam. Click to enlarge.

Ika said the two individuals who tried to dox him did so on an even more guarded Russian language forum — DirectConnection[.]ws , perhaps the most exclusive Russian cybercrime community ever created. New applicants of this forum had to pay a non-refundable deposit, and receive vouches by three established cybercriminals already on the forum. Even if one managed to steal (or guess) a user’s DirectConnection password, the login page could not be reached unless the visitor also possessed a special browser certificate that the forum administrator gave only to approved members.

In no uncertain terms, Ika declared that Rescator went by the nickname MikeMike on DirectConnection:

“I did not want to bring any of this to real life. Especially since I knew the patron of the clowns – specifically Pavel Vrublevsky. Yes, I do state with confidence that the man with the nickname Rescator a.k.a. MikeMike with his partner Pipol have been Pavel Vrublevsky’s puppets for a long time.”

Pavel Vrublevsky is a convicted cybercriminal who became famous as the CEO of the Russian e-payments company ChronoPay , which specialized in facilitating online payments for a variety of “high-risk” businesses, including gambling, pirated Mp3 files, rogue antivirus software and “male enhancement” pills.

As detailed in my 2014 book Spam Nation , Vrublevsky not-so-secretly ran a pharmacy affiliate spam program called Rx-Promotion , which paid spammers and virus writers to blast out tens of billions of junk emails advertising generic Viagra and controlled pharmaceuticals like pain relief medications. Much of my reporting on Vrublevsky’s cybercrime empire came from several years worth of internal ChronoPay emails and documents that were leaked online in 2010 and 2011.

case study 2 the target attack

Pavel Vrublevsky’s former Facebook profile photo.

In 2014, KrebsOnSecurity learned from a trusted source close to the Target breach investigation that the user MikeMike on DirectConnection — the same account that Ika said belonged to Rescator — used the email address “ [email protected] .”

At the time, KrebsOnSecurity could not connect that email address to anything or anyone. However, a recent search on [email protected] at the breach tracking service Constella Intelligence returns just one result: An account created in November 2010 at the site searchengines[.]ru under the handle  “ r-fac1 .”

A search on “r-fac1” at cyber intelligence firm Intel 471 revealed that this user’s introductory post on searchengines[.]ru advertised musictransferonline[.]com , an affiliate program that paid people to drive traffic to sites that sold pirated music files for pennies apiece.

According to leaked ChronoPay emails from 2010, this domain was registered and paid for by ChronoPay. Those missives also show that in August 2010 Vrublevsky authorized a payment of ~$1,200 for a multi-user license of an Intranet service called MegaPlan .

ChronoPay used the MegaPlan service to help manage the sprawling projects that Vrublevsky referred to internally as their “black” payment processing operations, including pirated pills, porn, Mp3s, and fake antivirus products. ChronoPay employees used their MegaPlan accounts to track payment disputes, order volumes, and advertising partnerships for these high-risk programs.

Borrowing a page from the Quentin Tarantino movie Reservoir Dogs , the employees adopted nicknames like “Mr. Kink,” “Mr. Heppner,” and “Ms. Nati.” However, in a classic failure of operational security, many of these employees had their MegaPlan account messages automatically forwarded to their real ChronoPay email accounts.

case study 2 the target attack

A screen shot of the org chart from ChronoPay’s MegaPlan Intranet system.

When ChronoPay’s internal emails were leaked in 2010, the username and password for its MegaPlan subscription were still working and valid. An internal user directory for that subscription included the personal (non-ChronoPay) email address tied to each employee Megaplan nickname. That directory listing said the email address [email protected] was assigned to the head of the Media/Mp3 division for ChronoPay, pictured at the top left of the organizational chart above as “ Babushka Vani and Koli.”

[Author’s note: I initially overlooked the presence of the email address [email protected] in my notes because it did not show up in text searches of my saved emails, files or messages. I rediscovered it recently when a text search for [email protected] on my Mac found the address in a screenshot of the ChronoPay MegaPlan interface.]

The nickname two rungs down from “Babushka” in the ChronoPay org chart is “ Lev Tolstoy ,” which the MegaPlan service showed was picked by someone who used the email address v.zhabukin@freefrog-co-ru .

ChronoPay’s emails show that this Freefrog email address belongs to a Vasily Borisovich Zhabykin from Moscow. The Russian business tracking website rusprofile[.]ru reports that Zhabykin is or was the supervisor or owner of three Russian organizations, including one called JSC Hot Spot .

[Author’s note: The word “babushka” means “grandma” in Russian, and it could be that this nickname is a nod to the ChronoPay CEO’s wife, Vera . The leaked ChronoPay emails show that Vera Vrublevsky managed a group of hackers working with their media division, and was at least nominally in charge of MP3 projects for ChronoPay. Indeed, in messages exposed by the leaked ChronoPay email cache, Zhabykin stated that he was “directly subordinate” to Mrs. Vrublevsky].

CYBERCRIME HOTSPOT

JSC Hot Spot is interesting because its co-founder is another ChronoPay employee: 37-year-old Mikhail “Mike” Shefel . A Facebook profile for Mr. Shefel says he is or was vice president of payment systems at ChronoPay. However, the last update on that profile is from 2018, when Shefel appears to have legally changed his last name.

Archive.org shows that Hot Spot’s website — myhotspot[.]ru — sold a variety of consulting services, including IT security assessments, code and system audits, and email marketing. The earliest recorded archive of the Hot Spot website listed three clients on its homepage, including ChronoPay and Freefrog.

ChronoPay internal emails show that Freefrog was one of its investment projects that facilitated the sale of pirated Mp3 files. Rusprofile[.]ru reports that Freefrog’s official company name — JSC Freefrog — is incorporated by a thinly-documented entity based in the Seychelles called Impex Consulting Ltd. , and it is unclear who its true owners are.

However, a search at DomainTools.com on the phone number listed on the homepage of myhotspot[.]ru ( 74957809554 ) reveals that number is associated with eight domain names.

Six of those domains are some variation of FreeFrog. Another domain registered to that phone number is bothunter[.]me , which included a copyright credit to “Hot Spot 2011.” At the annual Russian Internet Week IT convention in Moscow in 2012, Mr. Shefel gave a short presentation about bothunter , which he described as a service he designed to identify inauthentic (bot) accounts on Russian social media networks.

Interestingly, one of r-fac1’s first posts to Searchengines[.]ru a year earlier saw this user requesting help from other members who had access to large numbers of hacked social media accounts. R-fac1 told forum members that he was only looking to use those accounts to post harmless links and comments to the followers of the hacked profiles, and his post suggested he was testing something.

“Good afternoon,” r-fac1 wrote on Dec. 20, 2010. “I’m looking for people with their own not-recently-registered accounts on forums, (except for search) Social networks, Twitter, blogs, their websites. Tasks, depending on your accounts, post text and a link, sometimes just a link. Most often the topic is chatter, relaxation, discussion. Posting my links in your profiles, on your walls. A separate offer for people with a large set of contacts in instant messengers to try to use viral marketing.”

Neither Mr. Shefel nor Mr. Zhabykin responded to requests for comment.

WHERE ARE THEY NOW?

Mr. Zhabykin soon moved on to bigger ventures, co-founding a cryptocurrency exchange based in Moscow’s financial center called Suex . In September 2021, Suex earned the distinction of becoming the first crypto firm to be sanctioned by the U.S. Department of the Treasury , which effectively blocked Suex from the global financial system. The Treasury alleged Suex helped to process millions in criminal transactions, including the proceeds of numerous ransomware attacks.

“I don’t understand how I got mixed up in this,” Zhabykin told The New York Times in 2021. Zhabykin said Suex, which is registered in the Czech Republic, was mostly a failure and had conducted only a half dozen or so transactions since 2019.

The Russian business tracking service Rusprofile says Zhabykin also is the owner of a company based in the United Kingdom called RideWithLocal ; the company’s website says it specializes in arranging excursions for extreme sports, including snowboarding, skiing, surfing and parasailing. Images from the RideWithLocal Facebook page show helicopters dropping snowboarders and skiers atop some fairly steep mountains.

case study 2 the target attack

A screenshot from the Facebook page of RideWithLocal.

Constella Intelligence found a cached copy of a now-deleted LinkedIn profile for Mr. Zhabykin, who described himself as a “sporttech/fintech specialist and mentor.”

“I create products and services worldwide, focusing on innovation and global challenges,” his LinkedIn profile said. “I’ve started my career in 2002 and since then I worked in Moscow, different regions of Russia, including Siberia and in Finland, Brazil, United Kingdom, Sri Lanka. Over the last 15 years I contributed to many amazing products in the following industries: sports, ecology, sport tech, fin tech, electronic payments, big data, telecommunications, pulp and paper industry, wood processing and travel. My specialities are Product development, Mentorship, Strategy and Business development.”

Rusprofile reports that Mikhail Borisovich Shefel is associated with at least eight current or now-defunct companies in Russia, including Dengi IM (Money IM), Internet Capital , Internet Lawyer , Internet 2 , Zao Hot Spot, and (my personal favorite) an entity incorporated in 2021 called “ All the Money in the World .”

Constella Intelligence found several official documents for Mr. Shefel that came from hacked Russian phone, automobile and residence records. They indicate Mr. Shefel is the registrant of a black Porsche Cayenne (Plate:X537SR197) and a Mercedes (Plate:P003PX90). Those vehicle records show Mr. Shefel was born on May 28, 1986.

Rusprofile reveals that at some point near the end of 2018, Shefel changed his last name to Lenin . DomainTools reports that in 2018, Mr. Shefel’s company Internet 2 LLC registered the domain name Lenin[.]me. This now-defunct service sold physical USSR-era Ruble notes that bear the image of Vladimir Lenin, the founding father of the Soviet Union.

case study 2 the target attack

Meanwhile, Pavel Vrublevsky remains imprisoned in Russia, awaiting trial on fraud charges levied against the payment company CEO in March 2022 . Authorities allege Vrublevsky operated several fraudulent SMS-based payment schemes. They also accused Vrublevsky of facilitating money laundering for Hydra , the largest Russian darknet market. Hydra trafficked in illegal drugs and financial services, including cryptocurrency tumbling for money laundering, exchange services between cryptocurrency and Russian rubles, and the sale of falsified documents and hacking services.

In 2013, Vrublevsky was sentenced to 2.5 years in a Russian penal colony for convincing one of his top spammers and botmasters to launch a distributed denial-of-service (DDoS) attack against a ChronoPay competitor that shut down the ticketing system for the state-owned Aeroflot airline.

Following his release, Vrublevsky began working on a new digital payments platform based in Hong Kong called HPay Ltd (a.k.a. Hong Kong Processing Corporation). HPay appears to have had a great number of clients that were running schemes which bamboozled people with fake lotteries and prize contests.

KrebsOnSecurity sought comment on this research from the Federal Bureau of Investigation (FBI) and the U.S. Secret Service , both of which have been involved in the Target breach investigation over the years. The FBI declined to comment. The Secret Service declined to confirm or dispute any of the findings, but said it is still interested in hearing from anyone who might have more information.

“The U.S. Secret Service does not comment on any open investigation and won’t confirm or deny the accuracy in any reporting related to a criminal manner,” the agency said in a written statement. “However, If you have any information relating to the subjects referenced in this article, please contact the U.S. Secret Service at [email protected]. The Secret Service pays a reward for information leading to the arrest of cybercriminals.”

25 thoughts on “ Ten Years Later, New Clues in the Target Breach ”

The number of characters and plot threads reads like a Tolstoy or Dostoevsky novel – fittingly.

Right?? What a ride…

I have something to say, soon as I catch my breath.

Great research Brian. Well done as always. My thought throughout was, “If these guys are Russians in their 20s & 30s, why aren’t they all now living in a muddy trench in DonBas?”

IDK. Perhaps that’s exactly where they are now. However, my guess is if they are not living under an assumed identity, then they are more useful to the Kremlin at home.

Wow! What a ride, thanks for all that work. You really get your teeth into your work Mr. Krebs.

Fantastic research Brian…! The depth and width are phenomenal…!

Uh, is this the unintended reason the company is called “Target”? Or maybe their customers should be so-called. Just wonderin’.

i think this is great lol

Thank you for tracking all of this. And I thank our lucky stars that criminals sometimes goof up enough to be caught.

To answer this question, you need to ask yourself another question: who are the fathers of these 20s & 30s?

Yo you could use bullet points to highlight main points. Like Axios. Got to help guide your readers

The amount of information and intricate links between it all isn’t conducive to bulletpoint display, BK’s style is far superior. If you can’t bother to read a few paragraphs why bother at all?

Netflix Awaits…

I remember this vividly. 10 years ago I was getting my cyber security masters degree (didnt help me get a job much). A huge chunk of the class got jobs at Target months before the breach. After the aftermath many were let go. I think on that sometimes how you can be at the wrong place at the wrong time in security and get cleaned out.

Wow, amazing reporting! Well done.

FWIW that’s a Masonic Knights Templar sword in Vrublevsky’s profile photo.

A blast from the past here! Were there ever any connections between rescator and jokerstash?

Not that I’m aware of. But there is some suggestion that BriansClub is the new Rescator sites, which kind of died off when BriansClub debuted. Also, the images on the homepage of BriansClub were created back ~2014 in response to a warning from Rescator et. al when he posted our SSNs, address, etc and linked to like 30 different places to apply for credit. In response to that, forum members put together all of the images on BriansClub currently.

https://krebsonsecurity.com/wp-content/uploads/2023/12/rescator-bkneedshelp.png

Let it be said that if you’re ever short on steaks in your freezer, I would gladly contribute via a Patreon or similar channel. That being said, I have a feeling Rescator seriously underestimates the amount of beef you’re packing

The level of research you often timeline in your articles when reporting security news is really astounding. It’s so easy to fall down the rabbit holes you create in your articles!

I can’t tell you how much I appreciate your commitment to thorough research in your security articles. The work you put into these rabbit holes is truly commendable, and they’re a joy to explore.

Fascinating chain of investigation. Makes me want to massively upgrade my research skills!

Thanks for all you do! Hacking is getting scarier by the minute.

This emphasizes the need for robust cybersecurity measures and collaborative efforts to combat such ransomware attacks

escalating its tactics following FBI disruption

Comments are closed.

case study 2 the target attack

Award-winning news, views, and insight from the ESET security community

Digital Security

Target targeted: Five years on from a breach that shook the cybersecurity industry

In December 2013 news broke that Target suffered a breach that forced consumers and the cybersecurity community to question the security practices of retailers

Lysa Myers

18 Dec 2018  •  , 6 min. read

Target targeted: Five years on from a breach that shook the cybersecurity industry

In the twenty years since the start of my career in InfoSec, there have been a handful of security incidents that really stick out in my mind; seismic events after which the landscape seemed permanently altered. Five years ago, we experienced one of these instances when the Target breach was announced .

In light of this momentous anniversary, I decided to talk with my colleagues and fellow WeLiveSecurity Experts , about what they thought characterized the differences in the security scenery from before and after this attack.

A breach hits close to home

While 40 million payment card credentials and 70 million customer records lost seems "charmingly" small compared to more recent breaches, it was one of the first security events that hit a wide swath of people. Target was in the top five in the National Retail Federation (NRF) Top 100 Retailers list at the time (it’s down to #8 currently), and the breach was announced at the height of the holiday shopping season.

The combination of time and place was a perfect storm, reaching a significant percentage of the United States population. The odds are very good that if you lived in the US in 2013, even if you yourself were not affected, you probably know plenty of people who were.  And with breaches occurring both at Target and Home Depot ( currently #5 in the NRF Top 100 Retailers list) within several months of each other, the effects of each were amplified.

As Aryeh Goretsky stated: "With Target and Home Depot, consumers began (I think) to see that these weren’t intangible things that did not affect them, but rather concrete examples of ‘this happened to a place I do business with’ vs. something nebulous/opaque/invisible to consumers like a payment processor.  If Target is what legitimized data breaches in consumers’ minds, maybe Home Depot was the one that galvanized them into thinking that this was going to be a repeating event."

Chip card adoption

Another point raised by Aryeh was that "probably the biggest change is that this is what got payment processors moving towards chip & PIN in the United States."

Stephen Cobb concurred and added that "one reason the Target breach had such an impact was timing – it happened right before Congress went home for the holidays and constituents were really angry about it. I talked to several members of Congress and their staffers in the following February and it was a very hot topic with them."

While the use of EMV cards would not have decreased the number of records lost in the Target breach, there was a major push in the days afterwards to "do something" to decrease payment card fraud. Within months of the Target breach and within weeks of the Home Depot breach, President Obama had signed an executive order that was intended to hasten the adoption of chip card technology.

In the two years prior to these breaches, Visa and MasterCard had both announced their plans to compel banks and retail vendors to switch to offering and accepting payment cards that had embedded microchips. The conversion had been progressing slowly and quite reluctantly, but as banks suddenly had significant motivation to update the payment cards of their members, their pace picked up considerably. Many smaller retailers and gas stations are still dragging their feet in accepting EMV cards, even three years after the initial October 2015 liability switch.

Stephen also noted that "the US did not universally embrace chip and PIN, going for chip and signature in many cases. Target itself introduced a branded MasterCard a few years ago and it always requires a PIN". In fact, all the major credit card companies only just announced this year that they’re moving towards the more secure standard of requiring a PIN.

Supply chain risk

The method that the attackers used to get access to Target’s Point of Sale (PoS) machines was by stealing the credentials of an HVAC supplier who had been accessing Target’s network through an external vendor portal. While this is a detail of the breach that has been discussed extensively within the security practitioner community in the last few years, it’s one that took some time even to permeate experts’ awareness.

David Harley recalled "I guess (or hope) that people in general and certainly the InfoSec community became more aware that it’s not just the security of the companies that you do business with that you should worry about: it’s also the security of other companies that they do business with. A company you consider trustworthy is one thing, but who do they trust? We take it for granted that we live in an interconnected world, but don’t necessarily realize just how extensive those interconnections really are."

Stephen added,  "I don’t remember anyone shouting ‘supply chain risk’ in the immediate aftermath of the Target breach, but I think it is fair to say that the Target breach marked the beginning of a broader awareness of this threat vector."

In the years after the breach, there has been a greater understanding of the need for more robust authentication options that would have made stolen credentials less useful, and for network segmentation that would have stopped the attacker from pivoting from a less-sensitive area to one with more valuable information.

Normalizing breaches

Because Target is such a popular retailer, and its breach was announced shortly before attacks on other popular retailers, the overwhelming sense was that breaches are not something that happens only to smaller shops. Attacks happen to bigger companies who should have significant defenses, as well as to smaller businesses that may not have specific security expertise. No organization of any size can afford to ignore vulnerabilities on their networks or devices, and the measures put in place to deal with fraud and data breaches affect customers as well.

Cameron Camp stated that "consumers learned to tolerate bank anti-fraud measures that, while not perfect, slow the velocity of money leaking from your account and may give you some modicum of remedy. Large breaches set the stage for banks learning how to deal with threats like this in a more manageable manner. Now that there are more data and therefore experience, they can better know how to respond."

Stephen noticed this shift as well: "Several surveys indicate that something like 15% to 20% of consumers avoid online shopping and banking these days due to security and privacy fears, and I think that the Target breach was one of the key factors kicking off that trend (another being the Snowden revelations). Anecdotally I see some percentage of people taking one or more steps to limit their payment card exposure, like setting up transaction notifications, but I’m not sure what that percentage is."

Executive awareness

While acquiring sufficient budget and personnel for cybersecurity groups will always be problematic, there was a subtle shift in most executives’ perspective that eventually led to increased spending. The initial forecast for increases in security spending in 2014 was quite rosy, though it seemed that for some, this increase failed to materialize right away. Nevertheless, the increases did eventually come , as executives felt the continued pressure from customers to protect their data.

As Stephen said, "I think it was a much needed wakeup call to get deeply serious about security. Just going through the motions, like buying security products and getting your security tested, was not going to cut it: you need to architect for security, skill up for security, and train for security. If the C-suite is not making security a priority for all departments and all employees, you are at higher risk than your competitors that do prioritize security."

Cameron echoed this sentiment: " Target came to understand that it’s not enough to just have fire-and-forget, very expensive tech to detect ‘bad things’; that correct configuration and tuning are of the essence."

In the day-to-day struggles of securing data and devices, it can be easy to forget that there are areas in which we have indeed made progress. By looking back at major milestones, we can see how much has changed in a few years’ time. While we still have a long way to go, we can reconsider the past to strengthen our resolve to make bigger strides towards a more secure future.

Let us keep you up to date

Sign up for our newsletters

Related Articles

RSA Conference 2024: AI hype overload

RSA Conference 2024: AI hype overload

The hacker’s toolkit: 4 gadgets that could spell security trouble

The hacker’s toolkit: 4 gadgets that could spell security trouble

How often should you change your passwords?

How often should you change your passwords?

Share Article

Threat Report

Help | Advanced Search

Computer Science > Cryptography and Security

Title: breaking the target: an analysis of target data breach and lessons learned.

Abstract: This paper investigates and examines the events leading up to the second most devastating data breach in history: the attack on the Target Corporation. It includes a thorough step-by-step analysis of this attack and a comprehensive anatomy of the malware named BlackPOS. Also, this paper provides insight into the legal aspect of cybercrimes, along with a prosecution and sentence example of the well-known TJX case. Furthermore, we point out an urgent need for improving security mechanisms in existing systems of merchants and propose three security guidelines and defenses. Credit card security is discussed at the end of the paper with several best practices given to customers to hide their card information in purchase transactions.

Submission history

Access paper:.

  • Other Formats

References & Citations

  • Google Scholar
  • Semantic Scholar

DBLP - CS Bibliography

Bibtex formatted citation.

BibSonomy logo

Bibliographic and Citation Tools

Code, data and media associated with this article, recommenders and search tools.

  • Institution

arXivLabs: experimental projects with community collaborators

arXivLabs is a framework that allows collaborators to develop and share new arXiv features directly on our website.

Both individuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them.

Have an idea for a project that will add value for arXiv's community? Learn more about arXivLabs .

  • Harvard Business School →
  • Faculty & Research →
  • July 2016 (Revised January 2019)
  • HBS Case Collection

Cyber Breach at Target

  • Format: Print
  • | Language: English
  • | Pages: 32

About The Authors

case study 2 the target attack

Suraj Srinivasan

case study 2 the target attack

Lynn S. Paine

Related work.

  • February 2018
  • Faculty Research
  • Cyber Breach at Target  By: Suraj Srinivasan and Lynn Paine
  • Cyber Breach at Target  By: Suraj Srinivasan, Lynn S. Paine and Neeraj Goyal

Quick Links

  • Leadership Donors

Case Study: Cyber Breach at Target

Profile picture of author tflint

Engage With Us

Join Our Community

Ready to dive deeper with the Digital Data Design Institute at Harvard? Subscribe to our newsletter, contribute to the conversation and begin to invent the future for yourself, your business and society as a whole.

CoverLink Insurance - Ohio Insurance Agency

Cyber Case Study: Target Data Breach

by Kelli Young | Sep 13, 2021 | Case Study , Cyber Liability Insurance

Target Data Breach

During the final months of 2013, Target—the well-known American retailer—experienced a large-scale security breach. The Target data breach breach led to several point-of-sale systems being compromised by malware, giving cybercriminals access to millions of customers’ personal and financial data. The incident became one of the most high-profile data breaches of the decade, impacting customers across the country.

Target faced numerous consequences in the aftermath of the breach—including a range of recovery expenses, hundreds of lawsuits, decreased customer confidence, lost profits and widespread criticism related to the company’s initial response. In hindsight, organizations can learn many lessons by analyzing the details of this breach, its impact and Target’s mistakes along the way. Here’s what your organization needs to know.

The Details of the Target Data Breach

Target Data Breach

The cybercriminals officially launched the malware and began collecting customer data from Target’s point-of-sale systems on November 27th. Three days later, FireEye—a company that Target had purchased security software from earlier that year—detected the malware and reported the issue to Target’s headquarters. Despite receiving this report, Target did not take steps to stop the malware. After Target’s inadequate response, the cybercriminals were then able to implement exfiltration malware on the point-of-sale systems to transport customer data out of the company’s network. In the coming days, the cybercriminals began moving the data. This activity triggered another report from FireEye on December 2nd. However, Target still did not respond to the malware.

On December 12th, the U.S. Department of Justice identified the malware and notified Target of the breach. At that point, Target began to investigate the incident, receiving assistance from both the Secret Service and the FBI. By December 15th, most of the malware had been removed. On December 18th, a cybersecurity blogger became aware of the breach and publicly shared the incident’s details. One day later, Target released an official statement on the matter, outlining what happened and confirming that the company was working with the proper authorities to resolve the incident. Nevertheless, severe damage had already been done. In total, the cyber criminals compromised approximately 40 million customers’ credit and debit card information as well as 70 million customers’ personal details (e.g., names, addresses and phone numbers).

The Impact of the Target Data Breach

In addition to compromised customer data, Target encountered a series of ramifications after the breach.

Recovery costs Target had to take several steps to recover from the breach and minimize the risk of future security incidents. Recovery efforts included obtaining assistance from a third-party forensics firm to investigate the breach, offering customers one year of free credit monitoring, setting up a call center for breach-related concerns, equipping point-of-sale systems with chip-and PIN-enabled technology, segmenting different company networks and implementing stricter access controls. The overall cost of these efforts totaled more than $250 million.

Legal expenses Apart from recovery costs, Target also faced significant legal expenses from the breach. In particular, the company was involved in over 140 lawsuits throughout the country regarding the incident. In 2017—four years after the breach occurred— Target finally reached an $18.5 million settlement spanning 47 states. As part of the settlement, the company was required to consult a third party to help encrypt and further protect customer data, as well as hire an executive responsible for leading a workplace cybersecurity program—thus compounding costs.

Reputational damages Lastly, Target experienced a range of reputational issues due to the breach—namely, reduced customer confidence and distrust in senior leadership. The timing of the incident was especially detrimental, seeing as it took place during the holiday shopping season and negatively impacted year-end sales.

In fact, Target’s profits dropped by a staggering 46% during the final quarter of 2013. Moving into January 2014, one-third (33%) of U.S. households reported shopping at Target—down 10% from the previous year. The company’s prolonged response to the breach was also heavily criticized, causing stakeholders to hold senior leaders accountable for the delay and demand change. As a result, both Target’s longstanding CEO and chief information officer stepped down in 2014, paving the way for significant transitions in executive leadership.

Lessons Learned from the Target Data Breach

There are several cybersecurity takeaways from the Target data breach. Specifically, the incident emphasized these important lessons:

Investing in cybersecurity measures is worth it. This large-scale breach could have been minimized or potentially avoided altogether if Target had additional cybersecurity precautions in place, such as network segmentation and more elaborate data encryption techniques. As such, this incident highlighted the value of investing in adequate cybersecurity procedures. The expense of implementing these measures is well worth the benefit of deterring even costlier incidents further down the road.

An effective cyber incident response plan is critical. One of Target’s greatest downfalls during the breach was the company’s initial response. Although Target received multiple reports from FireEye about the malware, the company failed to act until the federal government got involved. By responding just days earlier, Target could have stopped the cybercriminals before they could transport customer data—significantly limiting the impact of the breach. What’s more, the company also took extra time to inform the public of the incident, which upset many customers. Such concerns emphasize how critical it is to take reports seriously, act quickly and have an effective cyber incident response plan in place. This type of plan can help an organization establish timely response protocols for remaining operational and mitigating losses in a cyber incident. Generally speaking, an effective cyber incident response plan should outline:

• Who is part of the cyber incident response team (e.g., board members, department leaders, IT professionals, legal experts and HR specialists) • What roles and responsibilities each member of the cyber incident response team must uphold during an attack • What the organization’s key functions are and how these operations will continue throughout an attack • How any critical workplace decisions will be made during an attack • When and how stakeholders should be informed of an attack (e.g., employees, customers, shareholders and suppliers) • What federal, state and local regulations the organization must follow when responding to an attack (e.g., incident reporting protocols) • When and how the organization should seek assistance from additional parties to help recover from an attack (e.g., law enforcement and insurance professionals)

Third-party exposures must be considered. This breach also showcased the importance of promoting third-party security. After all, Fazio Mechanical’s cyber vulnerabilities are what ultimately led to the onset of the breach. To prevent these exposures, it’s vital to work with vendors, suppliers and other third parties to ensure they uphold effective cyber-security practices. This collaboration may include incorporating cyber risk management within vendor contracts, restricting third parties’ access to sensitive data and monitoring suppliers’ compliance with applicable regulations—such as the Payment Card Industry Data Security Standard.

Proper coverage can make all the difference. Finally, this breach made it evident that no organization—not even a successful, national retailer like Target—is immune to a data breach. What’s worse, cyber incidents have only increased in cost and frequency since this event occurred. That’s why it’s crucial to ensure adequate protection against cyber-related losses by securing proper coverage. Make sure your organization works with a trusted insurance professional when navigating these coverage decisions.

We can help.

In the unfortunate event that your business falls victim to a cyber attack, of any type, we can help you recover.

Cyber & Data Breach Liability coverages are developing on a daily basis as new threats emerge and new insurance companies enter the market.

Regardless of the type of business, one thing is certain, if you’re a business in operation today, you face cyber risks. Which means, you need to thoroughly understand your risk of a loss, how you would respond if a loss did occur, and whether Cyber & Data Breach Liability coverage makes sense for you.

The level of coverage your business needs is based on your individual operations and can vary depending on your range of exposure. It’s important to work with an Insurance Advisor that can identify your areas of risk, and customize a policy to fit your unique situation.

If you’d like additional information and resources, we’re here to help you analyze your needs and make the right coverage decisions to protect your operations from unnecessary risk. You can download a free copy of our  eBook , or if you’re ready make Cyber Liability Insurance a part of your insurance portfolio,  Request a Proposal  or download and get started on our  Cyber & Data Breach Insurance Application  and we’ll get to work for you.

Recent Posts

  • Live Well Work Well – May 2024
  • Understanding Your Insurance: What Is Personal Injury Protection Coverage?
  • Cyber Solutions: Debunking 5 Common Cybersecurity Myths
  • Excess Flood Coverage for Homeowners
  • Cyber Incident Response Scenario: Ransomware Attack

Brought to you by:

Harvard Business School

Cyber Breach at Target

By: Suraj Srinivasan, Lynn S. Paine, Neeraj Goyal

In November and December of 2013, Target Corporation suffered one of the largest cyber breaches till date. The breach that occurred during the busy holiday shopping season resulted in personal and…

  • Length: 32 page(s)
  • Publication Date: Jul 7, 2016
  • Discipline: General Management
  • Product #: 117027-PDF-ENG

What's included:

  • Teaching Note
  • Educator Copy

$4.95 per student

degree granting course

$8.95 per student

non-degree granting course

Get access to this material, plus much more with a free Educator Account:

  • Access to world-famous HBS cases
  • Up to 60% off materials for your students
  • Resources for teaching online
  • Tips and reviews from other Educators

Already registered? Sign in

  • Student Registration
  • Non-Academic Registration
  • Included Materials

In November and December of 2013, Target Corporation suffered one of the largest cyber breaches till date. The breach that occurred during the busy holiday shopping season resulted in personal and credit card information of about 110 million Target customers to be compromised. The case describes the details of the breach, circumstances that led to it, consequences for customers and for Target, and the company's response. The case then discusses the role of management and the board of directors in cyber security at Target. Target's board of directors was subject to intense criticism by shareholders and governance experts such as the leading proxy advisor Institutional Shareholder Services (ISS). The case discusses the critique and defense of the board's role. The case is designed to allow for a discussion of the causes and consequences of the cyber breach and accountability of directors in cyber security.

Jul 7, 2016 (Revised: Jan 10, 2019)

Discipline:

General Management

Industries:

Retail and consumer goods

Harvard Business School

117027-PDF-ENG

We use cookies to understand how you use our site and to improve your experience, including personalizing content. Learn More . By continuing to use our site, you accept our use of cookies and revised Privacy Policy .

case study 2 the target attack

Insider Risk Management

China-Linked Hackers Suspected in ArcaneDoor Cyberattacks Targeting Network Devices

case study 2 the target attack

The recently uncovered cyber espionage campaign targeting perimeter network devices from several vendors, including Cisco, may have been the work of China-linked actors, according to new findings from attack surface management firm Censys.

Dubbed ArcaneDoor , the activity is said to have commenced around July 2023, with the first confirmed attack against an unnamed victim detected in early January 2024.

The targeted attacks, orchestrated by a previously undocumented and suspected sophisticated state-sponsored actor tracked as UAT4356 (aka Storm-1849), entailed the deployment of two custom malware dubbed Line Runner and Line Dancer.

The initial access pathway used to facilitate the intrusions has yet to be discovered, although the adversary has been observed leveraging two now-patched flaws in Cisco Adaptive Security Appliances ( CVE-2024-20353 and CVE-2024-20359 ) to persist Line Runner.

Telemetry data gathered as part of the investigation has revealed the threat actor's interest in Microsoft Exchange servers and network devices from other vendors, Talos said last month.

Cybersecurity

Censys, which further examined the actor-controlled IP addresses, said the attacks point to the potential involvement of a threat actor based in China.

This is based on the fact that four of the five online hosts presenting the SSL certificate identified as connected to the attackers' infrastructure are associated with Tencent and ChinaNet autonomous systems ( AS ).

In addition, among the threat actor-managed IP addresses is a Paris-based host ( 212.193.2[.]48 ) with the subject and issuer set as "Gozargah," which is likely a reference to a GitHub account that hosts an anti-censorship tool named Marzban .

The software, in turn, is "powered" by another open-source project dubbed Xray that has a website written in Chinese.

case study 2 the target attack

This implies that "some of these hosts were running services associated with anti-censorship software likely intended to circumvent The Great Firewall ," and that "a significant number of these hosts are based in prominent Chinese networks," suggesting that ArcaneDoor could be the work of a Chinese actor, Censys theorized.

Nation-state actors affiliated with China have increasingly targeted edge appliances in recent years, leveraging zero-day flaws in Barracuda Networks, Fortinet, Ivanti, and VMware to infiltrate targets of interest and deploy malware for persistent covert access.

Cybersecurity

The development comes as French cybersecurity firm Sekoia said it successfully sinkholed a command-and-control (C2) server linked to the PlugX trojan in September 2023 by spending $7 to acquire the IP address tied to a variant of the malware with capabilities to propagate in a worm-like fashion via compromised flash drives .

A closer monitoring of the sinkholed IP address (45.142.166[.]112) has revealed the worm's presence in more than 170 countries spanning 2.49 million unique IP addresses over a six-month period. A majority of the infections have been detected in Nigeria, India, China, Iran, Indonesia, the U.K., Iraq, the U.S., Pakistan, and Ethiopia.

"Many nations, excluding India, are participants in China's Belt and Road Initiative and have, for most of them, coastlines where Chinese infrastructure investments are significant," Sekoia said . "Numerous affected countries are located in regions of strategic importance for the security of the Belt and Road Initiative."

"This worm was developed to collect intelligence in various countries about the strategic and security concerns associated with the Belt and Road Initiative, mostly on its maritime and economic aspects."

Cybersecurity

Cybersecurity Webinars

From hidden to hunted: exposing cyber threats.

Join us to explore how attackers are turning your tools against you and what you can do about it.

AI-Powered Threat Hunting with CensysGPT

Introducing CensysGPT, the AI-driven tool that's changing the game in threat hunting. Don't miss our webinar to see it in action.

Cybersecurity

How to Investigate an OAuth Grant for Suspicious Activity or Overly Permissive Scopes

Expert Insights

Why You Should Consider Leveraging Your Python Skills to Code Securely on Blockchain

Expert Insights

Securing SaaS Apps in the Era of Generative AI

Expert Insights

DORA – Guiding the Resilience of Digital Financial Services

Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.

79° F, Partly Cloudy

Read the e-Newspaper

Read the e-newspaper subscribers only.

  • Subscribe to the Tampa Bay Times
  • Sign up for the DayStarter morning newsletter
  • Donate to the Tampa Bay Times

Keep up with Tampa Bay’s top headlines

Subscribe to our free DayStarter newsletter

You’re all signed up!

Want more of our free, weekly newsletters in your inbox? Let’s get started.

ONLY AVAILABLE FOR SUBSCRIBERS

The Tampa Bay Times e-Newspaper is a digital replica of the printed paper seven days a week that is available to read on desktop, mobile, and our app for subscribers only. To enjoy the e-Newspaper every day, please subscribe.

IMAGES

  1. Case Study 2

    case study 2 the target attack

  2. Case Study 2

    case study 2 the target attack

  3. Project- Case Study 2.docx

    case study 2 the target attack

  4. Target data breach case study

    case study 2 the target attack

  5. Lifecycle of the targetted attack.

    case study 2 the target attack

  6. What Retailers Need to Learn from the Target Breach to Protect against

    case study 2 the target attack

VIDEO

  1. FOR 502 Group 5 Case Study #2 Section 2

  2. Managing People: Case Study Review 2

  3. We can be hurt, but not knocked out: Tata

  4. International Finance: Case Study Pt 2

  5. What goes into a stakeout?

  6. ICAI Case Study 13| CA FINAL PAPER 6: INTEGRATED BUSINESS SOLUTIONS

COMMENTS

  1. Anatomy of the Target data breach: Missed opportunities and ...

    Target personnel discovered the breach and notified the U.S. Justice Department by December 13th. As of December 15th, Target had a third-party forensic team in place and the attack mitigated. On ...

  2. PDF Target Cyber Attack: A Columbia University Case Study

    Executive Summary. In this case study, we examine the 2013 breach of American retailer Target, which led to the theft of personally identifiable information (PII) and credit card information belonging to over 70 million customers from Target's databases. This case study will first consider Target's vulnerabilities to an external attack in ...

  3. Ten Years Later, New Clues in the Target Breach

    Ten years later, KrebsOnSecurity has uncovered new clues about the real-life identity of Rescator. Rescator, advertising a new batch of cards stolen in a 2014 breach at P.F. Chang's. Shortly ...

  4. Complete Case Study

    7 min read. ·. Dec 4, 2022. 1. The Target data breach of 2013 is considered to be one of the largest data breaches in the history of the United States. In December of 2013, credit card numbers of ...

  5. Breaking the Target: An Analysis of Target Data Breach and Lessons Learned

    Fig. 2. Attack steps of the Target breach. 2.1.2 Phase II: PoS Infection Due to Target's poor segmentation of its network, all that the attackers needed in order to gain access into Target's entire system was to access its business section. From there, they gained access to other parts of the Target network, including parts of the network ...

  6. A "Kill Chain"

    On January 10, 2014, Target disclosed that non-financial personal information, including names, addresses, phone numbers, and email addresses, for up to 70 million customers was also stolen during the data breach.9 2. The Attack On January 12, Target CEO Gregg Steinhafel confirmed that malware installed on point

  7. Case Study 2 Oscar Pellot

    Case Study 2- The Target Attack An extremely horrible incident occurred in 2013 at the well-known Target shop in the United States. Target's computer systems were infected with a type of malicious software, or "malware," just before Thanksgiving by some cunning computer hackers. When

  8. Target targeted: Five years on from a breach that shook the

    Digital Security. Target targeted: Five years on from a breach that shook the cybersecurity industry. In December 2013 news broke that Target suffered a breach that forced consumers and the ...

  9. Autopsy of a Data Breach: The Target Case

    This case revisits the events in late 2013 that gave rise to what was at the time the largest breach of confidential data in history. Indeed, on December 19, 2013, Target announced that its computer network had been infiltrated by cybercriminals who stole 40 million debit and credit card numbers as well as the personal information of some 70 million additional customers. The case presents the ...

  10. [1701.04940] Breaking the Target: An Analysis of Target Data Breach and

    This paper investigates and examines the events leading up to the second most devastating data breach in history: the attack on the Target Corporation. It includes a thorough step-by-step analysis of this attack and a comprehensive anatomy of the malware named BlackPOS. Also, this paper provides insight into the legal aspect of cybercrimes, along with a prosecution and sentence example of the ...

  11. PDF The Untold Story of the Target Attack Step by Step

    New Research New Research New Research New Research New Research Research. | Target Attack, Step by Step. 8. Step 1: Install Malware that Steals Credentials. According to publicly available sources12, the attackers infected the Target's HVAC contractor with the Citadel malware through the use of a phishing email.

  12. Target Cyber Attack

    Target Cyber Attack. This case examines the role that interconnectivity plays in corporate cybersecurity. In 2013, the American retailer Target suffered a major cyber breach after criminal hackers entered the digital systems of one of its vendors, ultimately exposing the personally identifiable information of 70 million Target customers.

  13. Cyber Breach at Target

    In November and December of 2013, Target Corporation suffered one of the largest cyber breaches to date. The breach that occurred during the busy holiday shopping season resulted in personal and credit card information of approximately 110 million Target customers being compromised. The case describes the details of the breach, circumstances ...

  14. PDF Teaching Case Security Breach at Target

    Target's efforts to improve its security and minimize the risk of other attacks in the future. The structure of the presented case study is as follows: Target's company profile, timeline of the events, the the company's business processes before and after the breach (including vendor management and incident response), the

  15. Case Study: Cyber Breach at Target

    With the number of major cyber breaches in recent years (Equifax, Sony, DNC anyone?), the Target breach of 2013 may seem like ancient history. But this case from Suraj Srinivasan, which focuses on how Target managed/could have managed the attack, offers many much-needed, highly-relevant leadership lessons for today.

  16. Case Study 2

    Ramiz Yousuf 07/07/2021 Case Study 2 - The Target Attack From the dates of November 27 th to December 15 th , of 2013, Target had a security breach, and all their customers' credit cards and debit cards were compromised throughout all of the Unites States. It's been said that over 70 million customers were affected from this security breach. This attack was massive because not only were ...

  17. Cyber Case Study: Target Data Breach

    The Details of the Target Data Breach. In September 2013, cybercriminals utilized an email-based phishing scam to trick an employee from Fazio Mechanical—an HVAC contractor and one of Target's third-party vendors—into providing their credentials. From there, the cybercriminals used these stolen credentials to infiltrate Target's network ...

  18. PDF Analysis of the 2013 Target Data Breach

    On January 10, 2014, Target disclosed that non-financial personal information, including names, addresses, phone numbers, and email addresses, for up to 70 million customers was also stolen during the data breach.9 2. The Attack On January 12, Target CEO Gregg Steinhafel confirmed that malware installed on point

  19. Cyber Breach at Target

    In November and December of 2013, Target Corporation suffered one of the largest cyber breaches till date. The breach that occurred during the busy holiday shopping season resulted in personal and credit card information of about 110 million Target customers to be compromised. The case describes the details of the breach, circumstances that led to it, consequences for customers and for Target ...

  20. (PDF) Teaching Case Security Breach at Target

    This case study follows the security bre ach that affecte d Target at the end of 2013 and resulte d in the loss of f inancial data f or over 70 mill ion custome rs.

  21. AIS Case Study 2

    In September 2013, Target experienced the first phase of the cyber-attack when its' external heating and ventilation provider, Fazio Mechanical Services, was hit by a phishing email. FireEye, Inc initially alerted Target of a cyber-attack after the Black Friday sales, but Target officials ignored the alert, and no investigations were conducted.

  22. Case Study 2 on the Target Attack .docx

    Ameer Hammad ITN 267 Professor Thomas 11/11/20 Case Study 2 on the Target Attack Cybersecurity attacks, hackers, cyber-criminals have continued to use various breach and access data strategies? Violations included personal information, such as social security numbers, passwords, and health-related information; consumer and customer financial information, such as credit card numbers and bank ...

  23. Solved Study Questions 1. How was the attack on Target

    Operations Management. Operations Management questions and answers. Study Questions 1. How was the attack on Target perpetrated? Can you identify its main phases? 2. Which weaknesses in Target security did hackers exploit? 3. Would you consider Target's data breach an information system failure?

  24. China-Linked Hackers Suspected in ArcaneDoor Cyberattacks Targeting

    The recently uncovered cyber espionage campaign targeting perimeter network devices from several vendors, including Cisco, may have been the work of China-linked actors, according to new findings from attack surface management firm Censys.. Dubbed ArcaneDoor, the activity is said to have commenced around July 2023, with the first confirmed attack against an unnamed victim detected in early ...

  25. Tampa Bay, Florida news

    Florida's new education laws carry less impact than in past years. An early push to cut bureaucracy lost steam during the legislative session. A St. Petersburg housing experiment is 2 months old ...