Cyber Security: Target's 2013 Data Breach

Overview

This is the first in a series of case studies/blogs that will evaluate cyber security threats and failure, from the perspective of those in the electrical industry with an eye toward the future electrical power grid that will utilize advanced communications capabilities.

In 2013, Target Corporation’s (Target) security and payment system was breached, compromising 40 million credit and debit card numbers, along with 70 million addresses, phone numbers and other personal information [1].  Target was made aware of this situation in mid-December when the U.S. Department of Justice informed the company that their system was being attacked [2]. Target had received notifications prior to this date, but had failed to act.

The "hows" and the "whys"

Malware was installed on Target’s payment and security system on November 15, 2013. Access to the system came from network credentials that were stolen from an HVAC provider based in Sharpsburg, Penn.  Initial speculation was that this vendor was monitoring HVAC systems installed at Target facilities remotely via network connection and that this was the way hackers gained entry into Targets internal network. As it turned out, this was not the case [3]. The compromised data connection was being used for “electronic billing, contract submissions and project management” [4], not monitoring of equipment. The network credentials were, in fact, gathered after the HVAC contractor's employee fell victim to a phishing scheme attack and clicked on a malicious email [5].

Target was not unprepared for the breach. Earlier that year, the company had installed malware detection software by computer security firm FireEye (high-profile FireEye customers include the CIA and Pentagon). The FireEye team in Bangalore, India monitored Target’s system around the clock, and reported the activity to Target’s security team based in Minneapolis, Minn. [6]. 

Exfiltration malware was installed on November 30, 2013 to move the stolen information out of the Target servers. These drop points were first staged around the U.S., then to computers in Russia. It was at this point that the Bangalore team became aware that something was wrong and notified the Target security team in Minneapolis. For reasons that are unclear, Target's Minneapolis team failed to act on the alert, allowing customer information to be compromised [7].

Points of failure and lessons learned

“Good security is a combination of protection, detection and response” [8]. Target had met its responsibilities of abiding by the industrial standards for payment cards [9] and had a well-respected security firm onboard, but this breach still occurred.

The initial reports on this story attracted the attention of many in the construction industry. Although, in this case, access to Target's credit card system did not come through HVAC unit, that scenario is not an improbable one. Remote monitoring of HVAC equipment is possible and future security incidents are not unlikely. 

The question becomes: “who is culpable?"  In this situation, the HVAC employee gave access to the system, but Target failed to act when they were altered by their security consulting firm. There is a danger in the security industry surrounding false alarms. Too many alerts cause people to stop paying attention, similar to the "crying wolf" phenomena. Sometimes, saying too little is better than saying too much. It is still unclear why no action was taken in Minneapolis by Target's security team.

To best protect themselves, a vendor in a service capacity needs to have a system in place to make sure their software meets current industrial standards. There is a significant danger in using poorly designed and executed software that is marketed beyond its capabilities. However, the greatest weakness in any security scheme will always be human beings. Humans choose bad passwords, configure software incorrectly, and click on malicious email links. Facility operators must make sure that the people interacting with their systems are aware of proper security procedures and understand the consequences of ignoring seemingly-benign alerts. After all, to err is human. 

References

1. http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data
2. https://www.schneier.com/blog/archives/2014/03/details_of_the_.html
3. http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
4. http://faziomechanical.com/Target-Breach-Statement.pdf
5. http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target
6. http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data
7. http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data
8. https://www.schneier.com/blog/archives/2014/01/ive_joined_co3.html
9. http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data