There's a joke in the cyber security industry that there are two types of companies: those that know they have been hacked, and those that haven't yet found out. In November 2013, Target Corporation in the US learned this the hard way when it was told by law enforcement agencies that it had been subject to one of the largest cyber attacks in history. Not long before Christmas, hackers stole credit and debit card information for 40 million Target customers, as well as home and email addresses for an additional 70 million customers.1
In September 2013, hackers initiated a phishing email campaign against one of Target's external heating and ventilation providers. Target did not monitor the provider's security arrangements. An employee of the provider opened a malicious link in the phishing email which enabled hackers to steal credentials that gave them access to Target's network, giving them access to sensitive customer payments and personal data. Using this access, the hackers were then able to install malware on 1800 point-of-sale terminals (POS) between 15 and 28 November 2013 which, in turn, allowed the hackers to collect encrypted data as it passed from the POS systems to the payment processing providers Visa and MasterCard. By 30 November, the malware had been installed on the majority of Target's POS system.
On 12 December 2013, law enforcement agencies contacted Target about the breach and the malware was removed from its POS systems on 15 December 2013.
Interestingly, Target's security team had raised vulnerabilities in Target's POS system and had suggested a review of Target's payment network only two months before the attacks. Those suggestions were not acted upon. Target also failed to act on alerts from its anti-intrusion software that attackers were installing malware in its network.
Target did not immediately disclose its breach, with the first suggeston that a breach had occurred coming from an online security blog. One week later, the company announced the breach and the theft of its data, and Target customers began identifying fraudulent transactions on their accounts.
To date, this cyberattack is estimated to have cost Target more than $200 million, with only a $90 million reimbursement from its cyber insurance policy. At the end of the day, that cost may be even more significant. The breach impacted on Target in the following ways:
- Reputational damage: Target's image suffered significantly. The company was criticised for the time it took to make the breach public and its customer service department's failures to effectively handle customer inquiries.
- Financial costs: In its quarterly financial results after the breach, Target posted a 46 per cent decline in profits and a 5.3 per cent drop in revenue.
- Internal upheaval: Target's CEO and Chief Information Officer both resigned. Target also created two new positions: the Executive Vice-President and Chief Information Security Officer and the Executive Vice President and Chief Compliance Officer.
- Regulatory investigations: Target faced investigations by Congressional committees, the Securities and Exchange Commission (SEC), the Department of Justice and the Federal Trade Commission.
- Legal costs: More than 140 legal actions were launched against Target, several of which were class actions. The courts divided the actions into three groups: financial institutions, consumers and shareholders.
- Consumers accused Target of negligence in its handling of customer data, violation of state consumer laws and state data breach laws, breach of contract, breach of the duty of care arising under a bailment of the data and unjust enrichment because part of the money paid for goods and services should have been, but was not, used by Target to provide adequate safeguards and security measures.
- The banks (making up 29 of the claims) sought reimbursement from Target for costs arising from the breach, claiming that Target was negligent as its data security was insufficient and it had failed to implement or adhere to federal laws surrounding processing credit card payments.
- Finally, shareholders alleged that directors had breached their fiduciary duties.
Target has since settled with Visa for US$67 million, MasterCard for US$39 million and created a US$10 million consumer fund for affected consumers, following several class actions. In the first instance, consumers with documented losses can receive reimbursement up to US$10,000 out of the US$10 million fund. Those losses could include unauthorised, unreimbursed charges on credit cards, time spent addressing unauthorised charges, higher interest fees that were paid, other fees paid on accounts (eg late payment fees and card cancellation or replacement fees), costs to replace identification documents (eg drivers' licence) and costs of credit monitoring or correcting credit reports. After payment for documented losses is made, consumers who submit valid claims without documentation will receive an equal share of the remaining funds.
- Management of third party service providers: Ensure that you robustly manage your third party service providers, not only through contractual provisions, but also by undertaking due diligence and conducting regular testing and audits.
- Evaluating risk: Ensure that your business' processes for detecting, preventing and responding to a cyber incident work from top to bottom. Consider war gaming or testing your entire cyber response capability. Alerts software doesn't work if you don't pay attention to an alert.
- Directors' duties: Directors and officers of companies must have a thorough understanding of a company's cyber security systems and take responsibility to ensure that those systems operate effectively.
- Bare minimum not enough to beat cybercrime: Target had multiple layers of protection in place, including: segmentation; firewalls; malware detection software; intrusion detection software; prevention tools; and plans to prevent data loss. It also complied with international standards. This breach demonstrates once again that when seeking to ensure cyber resilience, compliance with standards is the 'floor and not the ceiling'.
- 'Autopsy of a Data Breach: The Target Case' (2016) authored by Professor Line Dubé (HEC Montréal's Department of Information Technologies) and 'Cyber Breach at Target' (2016) authored by Professor Suraj Srinivasan, Professor Lynn Paine and Research Associate Neeraj Goyal (Harvard Business School) provide digestible, detailed and well researched analysis of the Target cyber breach. Both articles are available through the Harvard Business Review website.