AXEL.org

shopping

Devastating Data Breaches – Part 4: How Target Changed Credit Cards

In 2013, data breaches were common, but didn’t particularly weigh heavily in the public consciousness. While major data breaches had certainly occurred by that point, these breaches tended to affect less personal businesses. After all, Americans weren’t going into Yahoo or Equifax every week for grocery shopping. Data breaches tended to affect corporations that most people only interacted with online. Therefore, when a data breach occurred, it didn’t feel as personal. Combined with the equally impersonal picture of shadowy hackers stealing data from continents away, data breaches weren’t seen as a massive issue to the general population, but as an online nuisance.

Unfortunately, that mindset soon changed. In late 2013, in the middle of the holiday shopping season, Target fell victim to a data breach, with over 70 million people’s financial information becoming compromised [1]. While 70 million may sound paltry compared to Yahoo’s 3 billion leaked accounts, the damage to those 70 million victims was much more severe. Ultimately, this hack put data breaches on the mind of everyday citizens. After all, these hackers didn’t target a shadowy Internet business that only a few hundred people have physically been to. This hack targeted a popular chain of stores where millions of people shop every week.

In honor of Cybersecurity Awareness Month, AXEL is writing about some of the worst leaks, data breaches, and ransomware attacks in history. Follow along all October long to learn about what went wrong, what could’ve been done, and how companies responded to devastating data breaches.

The Breach

In September 2013, the cybercriminals responsible for the attack began their strike on the popular retail chain. However, the hackers’ plans did not involve attacking Target directly, at least not yet. The cybercriminals targeted Fazio Mechanical Services, a contractor that provided Target with heating and air conditioning [2]. From Fazio and its approved credentials, the hackers then accessed Target’s network and quickly found access to Target’s point-of-sale (POS) systems. From there, the attackers installed malware that recorded credit card data. Finally, the hackers encrypted the credit card data and exfiltrated it right under Target’s nose.

Target became aware of a potential breach on November 30, when a Target security operations center in India recorded potentially malicious activity [1]. That activity was shared with the Target corporate office in Minneapolis, but no action was taken. Again, on December 2, malicious activity was found and reported, but no action was taken by the corporate office. Finally, on December 12, the US Department of Justice contacted Target about a potential data breach, and an investigation began [1]. One week later, Target publicly revealed the data breach.

All in all, over 70 million customer records and 40 million payment card credentials were stolen in the hack [3]. This information was put up for sale on the dark web, where any variety of cybercriminals could pay for the stolen financial data. The data breach not only included debit and credit card numbers, but PIN numbers as well, putting affected customers at a large financial risk. Overall, while 70 million victims may pale in comparison to other data breaches, the breach’s effect on those victims was enormous. 

The Fallout

In the years following the data breach, Target paid over USD $200 million in costs related to the hack [4]. Target could have paid much more, but the company had a cybersecurity insurance policy that covered about USD $90 million of the total cost [1]. Additionally, Target agreed to a settlement of USD $18.5 million to 47 state governments for further compensation to victims [4]. As part of the settlement, Target agreed to tighten its security measures, along with promising to separate its cardholder data from the rest of its computer network. Additionally, Target’s CEO, Gregg Steinhafel, resigned in May 2014, in the aftermath of the attack [4]. Although the breach certainly did not put Target out of business, it had a profound effect on the company’s financial security, along with consumer trust in the company.

To this day, just one person has been charged in connection to the attack. In 2018, a Latvian computer programmer named Ruslan Bondars was sentenced to 14 years in prison for creating a program that helped cybercriminals, including the perpetrators behind the Target attack, improve malware [5]. However, Bondars was not immediately connected to the attack. Cybersecurity experts hypothesize that Andrey Hodirevsky, a Ukrainian programmer who specializes in selling stolen financial information, was the mastermind behind the attack [5]. However, Hodirevsky has never been charged with the crime.

Finally, the Target data breach affected not only the victims, but spearheaded a massive change in credit card usage as well. Following the breach, Target was one of the first companies to offer credit cards with embedded microchips, which provides better security than the traditional magnetic swipe [3]. So while the Target attack affected millions of victims, it also helped encourage the necessary transition from magnetic swipes to chip cards.

Overall, the Target data breach highlights the importance of communications, especially when it comes to cybersecurity incidents. Had Target taken action earlier, the effects of the data breach could have been mitigated or even eliminated. Unfortunately, in the time it took for Target to realize something was wrong, the damage had already been done. Thankfully, Target quickly identified and eliminated the malware, and also ushered in the era of microchipped cards. 

Keep Your Data Secure with AXEL Go

AXEL Go is a secure file-sharing and storage software that puts you back in control of your data. From military-grade encryption to blockchain technology, AXEL offers the most stringent security for your most important files. If you’re ready to take back control of your data, try two weeks of AXEL Go for free here. To read more about AXEL Go, click here.

[1] Plachkinova, Miloslava, and Chris Maurer. “Teaching Case Security Breach at Target.” Journal of Information Systems Education 29, no. 1 (March 21, 2018). https://jise.org/Volume29/n1/JISEv29n1p11.pdf.

[2] Shu, Xiaokui, Ke Tian, Andrew Ciambrone, and Danfeng Yao. “Breaking the Target: An Analysis of Target Data Breach and Lessons Learned.” January 18, 2017. https://arxiv.org/pdf/1701.04940.pdf.

[3] Myers, Lysa. “Target Targeted: Five Years on from a Breach That Shook the Cybersecurity Industry.” WeLiveSecurity. December 13, 2018. https://www.welivesecurity.com/2018/12/18/target-targeted-five-years-breach-shook-cybersecurity/.

[4] Abrams, Rachel. “Target to Pay $18.5 Million to 47 States in Security Breach Settlement.” The New York Times. May 23, 2017. https://www.nytimes.com/2017/05/23/business/target-security-breach-settlement.html.

[5] Weiner, Rachel. “Hacker Linked to Target Data Breach Gets 14 Years in Prison.” The Washington Post. September 21, 2018. https://www.washingtonpost.com/local/public-safety/hacker-linked-to-target-data-breach-gets-14-years-in-prison/2018/09/21/839fd6b0-bd17-11e8-b7d2-0773aa1e33da_story.html.

How To Shop Safely On Black Friday And Cyber Monday

The time we’ve been waiting for all year is finally here: Black Friday and Cyber Monday are upon us. The holidays are the season for spending time with cherished family and friends, but Black Friday is much better because you get to buy new stuff. Friends and family move away, they get busy and can’t see you, but your new stuff will sit in your home with you until it has to be forklifted out to clear a path after you get trapped under a pile of 70% off Google Homes.

But the coming sales aren’t all fun and games. As the holiday shopping season ramps up, cyber criminals are also ramping up their activities. Here’s how you can protect yourself from being a victim of cybercrime this holiday season.

Don’t shop online in public

Seriously: the whole goal of online shopping is so you can sit in your house in your underwear and order as many pairs of Air Jordans as your credit card limit will allow. So why, in 2018, are people still leaving their houses to do this? Pro tip: being inside your house is always safer than not being inside your house. Additionally, sitting in a coffee shop while entering your credit card number will just leave you open to scammers looking over your shoulder, and they will also see that you decided a toaster would be a good gift for your mom. Additionally, using public WiFi to make purchases is not recommended: when possible, use your home WiFi or another trusted network. Also seriously, a toaster?!

Use sites you trust

Now is not the time to try anything fancy: go to the sites you know, and if you want to shop somewhere new and unfamiliar, research the company online to make sure it’s legitimate.

Make sure you use secure sites

You’ll want to use sites that use HTTPS instead of HTTP. Websites that have HTTPS in their URL will encrypt all information sent between your browser and the website. If this is too boring to remember (it is) just look for a little lock right beside the URL in your web address bar. Keep in mind that this is not a guarantee that the website is safe, but this does add an extra layer of security.

Check your bank statements regularly

Check your bank statement online, and check it often to ensure that no suspicious activity has transpired in any of your depleted accounts. Call your bank immediately if you notice something is off. And while it is highly suspicious that you bought an EZ Bake oven for yourself, that’s not the type of suspicious activity you’re looking for.

Do all that boring stuff we always tell you to do

Update your passwords regularly. Don’t use the same password twice. Ensure your computer’s software is up-to-date. Use anti-virus software. Don’t hand out your social security number like it’s Monica’s Christmas candy. Appreciate all Friends references.

Avoid using your credit card when possible

No, that doesn’t mean you should use debit. In fact, please don’t! But apps like Apple Pay are more secure, and many large retailers are now accepting Apple Pay through their apps. Many banks also offer virtual credit cards specifically for online transactions so that your real card number doesn’t fall into the wrong hands. Unless the wrong hands are also your hands, in which case I cannot help you.

Don’t shop on websites using your mobile browser

It’s hard to see if they’re secure. Instead, use the retailer’s app. Yes, this means you must download yet another app as you’re hunched over your desk at work just trying to buy a pair of boots before anyone notices you haven’t sent the invoice you promised Cathy, but Cathy can wait. This is your online safety we’re talking about, Cathy!!

Don’t click on links

Type the website URL directly into your browser’s address bar instead of clicking on links sent to you through email, text, or other messaging apps. Scammers will often send emails or messages that look exactly like a retailer’s marketing materials, but these links will direct you to a fake website or install malware on your device.

Spend all your money!!!

Max out those credit cards and drain your accounts. If you have nothing to steal, scammers cannot steal from you. (This is obviously a joke – it’s important to spend wisely and make sure that you have money left over for food. Do you have money to buy me food? Just kidding. Unless you’re offering.)

Black Friday and Cyber Monday are a great way to temporarily escape from the dreary prison of your life. Just make sure to follow these tips so you can ensure that you are the only one spending your money. Happy shopping!!