Between 27 November and 15 December 2013, Target was the subject of a data hack at its bricks-and-mortar stores in the US. As many as 40 million customers saw their credit and debit cards become subject to potential fraud after malware was introduced to the POS system in almost 1,800 stores.
On 19 December, the company publicly acknowledged the breach for the first time, one day after the story was revealed by investigative journalist Brian Krebs. Target said the breach was being investigated and that customers' names and payment card details, including card expiry dates and encrypted security codes, had all been accessed.
The next day, the retailer revealed that early reports of credit card fraud arising from the breach were few and far between as it sought to generate some good PR by offering customers 10% off pre-Christmas in-store purchases.
After the festivities had passed, on 27 December, the company revealed that encrypted debit card PINs had also been accessed in the breach, but it asserted that the actual PINs remained secure.
Then, on 10 January 2014, Target admitted that a further 70 million customers had had their personal information stolen in the same attack. It believes this information may include customer names, physical addresses, telephone numbers and email addresses.
So how did this, the fifth largest data breach to date across all industries, happen?
Details still hazy
The full details of the attack are still a little hazy, with Target keeping its cards close to its chest.
Neira Joneschair, CSCSS
What is known is that the breach was likely to have been initiated through Fazio Mechanical Services (FSM), a heating, ventilation and air conditioning (HVAC) contractor in Pittsburgh that was connected to Target's systems to provide electronic billing services, contract submissions and project management services.
FSM itself was the subject of an attack in which hackers stole the credentials required to breach Target and this shows one way in which other retailers may also be at risk in future.
By allowing FSM to connect to its internal networks, Target introduced another means by which it could itself be attacked. Not only that, but the company effectively gave up some of its own security controls and entrusted them to a third party.
It is not known how the FSM attacker was able to hop to Target's own payment network, but the fact that it did highlights concerns about the Payment Card Industry Data Security Standards (PCI-DSS), which mandate that a company must segregate payment card data from other parts of its corporate networks.
It is not known whether Target was in compliance with PCI-DSS at the time it was breached, but what is known is that many other organisations are certainly not. Verizon's 2014 PCI Compliance Report shows that only 11.1% of businesses were fully compliant in 2013.
With fellow data breach victim Neiman Marcus recently being described by JD Sherry, director of public technology and solutions at Trend Micro, as a "repeat offender" in terms of failing to achieve compliance, there appears to be at least a circumstantial link between poor security controls and the likelihood of a data breach.
“I have always believed that PCI-DSS is a good set of controls and organisations should look at it as a minimum standard they should achieve, even if they are not involved in card payments,” says PCI-DSS expert Neira Jones, chair of the Centre for Strategic Cyberspace and Security Science (CSCSS).
“It has been evidenced in the Verizon PCI Compliance Report 2014 that 'organisations that are breached tend to be less compliant with PCI-DSS than the average of organisations in our research'.
“That is nothing new. After all, assessing PCI-DSS is only ever a sampling exercise by the QSA and only offers a snapshot at a point in time. An organisation will only be as strong as its business-as-usual security practices, making sure they cover all aspects of people, process and technology."
Neira Joneschair, CSCSS
Jones adds: “Going back to the Target data breach, we all know now that it originated at a third-party firm. Does PCI-DSS make provisions for third-party security? V2.0 has elements of it – remote access, credentials, and so on – but I have always believed it was never sufficiently explicit, and then it comes down to the diligence of the acquirers and card schemes to promote and enforce best practice.
“I am very pleased that v3.0 is much clearer and even has some new requirements specifically looking at third-party risk management, as well as the responsibilities of third parties themselves. As the payment value/supply chain has exploded in line with the many (welcome) innovations we see on the market, the risks are now very different and new entrants don’t necessarily fit within the existing risk/security frameworks.
“This is why I believe supply chain due diligence must become a key business operations skill going forward, and that, necessarily, must include information security.”
Could it happen in the UK?
Considering the potential security lapses at Target, the question arises as to whether such a breach could occur again in the retail sector and, more specifically, here in the UK.
In response, Jones sites the Verizon report, which states that 31.3% of European organisations complied with more than 80% of DSS 2.0 controls, lagging North America (56.2%) and Asia Pacific (75.0%).
“Draw your own conclusions,” says Jones.
Poor levels of compliance make it appear likely that data breaches will continue and even become more common. It should also be noted that the number of records pilfered as a result of data breaches is also on the rise.
Last year, a record number of 823 million records were stolen through data breaches. A report from Risk Based Security and the Open Security Foundation paints a poor picture that highlights 2,164 incidents of data loss during the year. Of those, 72% involved external attackers while 25% were classified as internal incidents, although the latter were attributed mainly to human error and accidents rather than malicious intent.
The figures may have been rather skewed because of the nature of last year's breaches – they include the 152 million records grabbed in the Adobe breach, the largest such incident to date – but they also highlight how more than half of all the reported incidents led to the exposure of between one and 1,000 records, indicating that smaller businesses are equally at risk.
This rapid growth in the number of records seized via data breaches, which overwhelmingly target businesses, leads to one conclusion: attackers increasingly see this as a valid means of making money, and there is no reason to think they will give up such a lucrative source of income.
Effect on the bottom line
Another aspect to consider when assessing whether businesses will tackle the threat of data breaches is the effect on the bottom line.
The financial implication of the Target breach for US banks so far is about $172 million (£104 million), based on the replacement of 17.2 million cards at $10 a pop, but that is not a loss borne by Target – the banks have picked up the tab.
The retailer itself merely predicts a drop in like-for-like sales of about 2.5% from 2013, just for one quarter. For many companies, such a small drop in revenue is likely to represent nothing more than a passing inconvenience, but neither laws nor regulations offer any further incentive to invest in a convincing security plan, either.
UK Information Commissioner Christopher Graham recently admitted as much, saying that the penalties available following a breach of the Data Protection Act are inadequate.
Currently, a civil breach of the Data Protection Act carries a maximum fine of £500,000, while a criminal breach can lead to an unlimited fine. In reality, the fines dished out amount to little more than a few thousand pounds each – hardly a deterrent. This has prompted Graham to tell the House of Commons Home Affairs Select Committee: “I just think unless people feel ‘I could go to jail for this’, we are not going to get very much further. I could investigate and we will investigate… but I have to face the fact that it’s possible [convicted individuals or companies] would simply be looking at fines, and fairly modest fines.”
Whether that means UK businesses are at more or less risk of a data breach than organisations in the US is a matter of conjecture, but a lack of PCI compliance, in conjunction with poor security controls and a lack of regulatory incentive to improve, all point to a future of far more data breaches than we have seen so far, irrespective of industry or geographical location.