In the largest, multi-state data breach settlement in history, Target has agreed to pay $18.5 million following an investigation into the 2013 breach that exposed sensitive customer information, including payment card account information, for over 110 million customers. This brings the total cost of the data breach to over $200 million for the retailer.
Target was certified as PCI compliant in September of 2013, shortly before the breach – so how were they hacked? Unfortunately, as we have seen in a number of recent breaches, compliance is a snapshot in time. Unless the security requirements are maintained, gaps may arise in the infrastructure. Such is the case at Target. Cybercriminals found their way into Target’s gateway server using credentials stolen from a third-party HVAC vendor. Once they had access to the credentials, they were able to exploit weaknesses in Target’s network, access a customer service database, and install malware that captured payment card numbers and other sensitive personal information. The third-party vendor was given access to the network in order to monitor energy consumption and temperatures at various stores, not access payment card or customer information. Target had failed to properly segment their systems that handled payment card data from the rest of the network.
This is a good example of how organizations may focus their attention on securing payment card systems and other critical applications, and accidentally overlook other, less obvious, applications that may be connected via the network. Cybercriminals are smart and if they can find a point of entry that has been neglected, they will, and they will use the data harvested there to access other systems. It is important to maintain up to date network diagrams that will help you identify any potential weaknesses and illustrate how other systems and applications may be providing a path to your data. Ensuring your cardholder data environment (or HIPAA or GLBA environment) is securely segmented from other networks and the appropriate security controls are in place is critical.
The Target breach also demonstrates the importance of monitoring third-party vendor compliance and ensuring they have the appropriate security controls in place. It doesn’t matter how or where the breach begins, data breaches are costly. When payment card information is compromised, organizations can face fines up to $500,000 per card brand for PCI compliance violations. As we saw with the Target breach, data breaches can also trigger investigations and lawsuits from other affected entities. The card brands may require:
- Notifications to be sent to all victims (and the merchant is responsible for covering the costs of the notifications)
- Payment by the merchant for card replacement costs
- Reimbursement of fraudulent transactions
- Forensic investigations
- Validation as a Level 1 Merchant (which means an annual Report on Compliance ROC) by a Qualified Security Assessor)
- Organizations to stop accepting payment cards organization-wide, or implement higher processing fees
Of course, the indirect costs due to reputational damage and disruption of resources can also be significant. In the months following the 2013 breach, Target’s profits dropped almost 50% from the same time the previous year due to the reputational damage and customer mistrust. In an effort to regain customers’ loyalty, Target provided a 10 percent discount the weekend before Christmas and offered free credit monitoring for one year for affected customers.
The settlement’s terms also require Target to implement a comprehensive information security program and hire an executive officer to oversee its execution. They must hire an outside vendor to conduct a comprehensive security assessment. Other security requirements include maintaining and supporting software on its network, maintaining encryption policies, segmenting its cardholder data environment (CDE), and controlling access to the network, including password rotation policies and multi-factor authentication for specified accounts. In the months following the breach, Target did take several actions to keep cardholder information safe, including a major overhaul of its internal security systems, implementation of new registers and advanced chip and pin devices, and increased training for employees. None of these activities will come without cost, although as you can see, most are security best practices and/or requirements under the PCI DSS.
One final lesson learned from the Target breach involves incident management and response. Verify that your organization has a comprehensive incident response plan in place and ensure all staff have read and understand their responsibilities. Public perception is so important, and in the age of the Internet, it is impossible to hide problems. Although some information was withheld initially, as the investigation unfolded, Target was quick to take action and was able to successfully recover from the breach and regain customer trust. However, many smaller organizations will not have the same outcome following a breach. In fact, 60% of small companies experiencing a breach will actually go out of business within 6 months of the attack.
Target’s settlement may be the largest on record, but they were certainly not the first organization to experience a massive data breach, and they won’t be the last. Organizations can learn from the mistakes of the past and work diligently to implement ongoing security controls, monitor compliance and security efforts year round, and have clearly defined processes and policies in place for proactively identifying and responding to potential incidents, which will significantly reduce the overall impact.
Don’t hesitate to reach out to us if you have any questions or if you would like to review our guidance on how to effectively respond to a data breach.
Some additional insights from CampusGuard’s CEO Harvey Gannon and our Security Advisor Team:
[Gannon]: Whoa! Another fine for this breach. This $18.5M is payable to various state governments. It seems that each breach is now being scrutinized by so many people, organizations and government agencies that they come out of the woodwork to claim some injury as they look for restitution. Each time I hear a prospective customer say that they will not get fined or that they have insurance, I have to wonder if they will be truly protected from all of the lawsuits they will face. The better strategy may be to take information security seriously as it is one of the highest risks to your organization.
[Henninger]: Just goes to show that the Council was on the right track by addressing the “Business as Usual” approach. PCI DSS and information security is not a “once and done” task. Systems, infrastructure and processes must be constantly evaluated and maintained in a secure manner. People including IT staff must be on board and understand their obligations for protections under the PCI Requirements.