In December 2013 news broke that Target suffered a breach that forced consumers and the cybersecurity community to question the security practices of retailers
In the twenty years since the start of my career in InfoSec, there have been a handful of security incidents that really stick out in my mind; seismic events after which the landscape seemed permanently altered. Five years ago, we experienced one of these instances when the Target breach was announced.
In light of this momentous anniversary, I decided to talk with my colleagues and fellow WeLiveSecurity Experts, about what they thought characterized the differences in the security scenery from before and after this attack.
A breach hits close to home
While 40 million payment card credentials and 70 million customer records lost seems “charmingly” small compared to more recent breaches, it was one of the first security events that hit a wide swath of people. Target was in the top five in the National Retail Federation (NRF) Top 100 Retailers list at the time (it’s down to #8 currently), and the breach was announced at the height of the holiday shopping season.
The combination of time and place was a perfect storm, reaching a significant percentage of the United States population. The odds are very good that if you lived in the US in 2013, even if you yourself were not affected, you probably know plenty of people who were. And with breaches occurring both at Target and Home Depot (currently #5 in the NRF Top 100 Retailers list) within several months of each other, the effects of each were amplified.
As Aryeh Goretsky stated: “With Target and Home Depot, consumers began (I think) to see that these weren’t intangible things that did not affect them, but rather concrete examples of ‘this happened to a place I do business with’ vs. something nebulous/opaque/invisible to consumers like a payment processor. If Target is what legitimized data breaches in consumers’ minds, maybe Home Depot was the one that galvanized them into thinking that this was going to be a repeating event.”
Chip card adoption
Another point raised by Aryeh was that “probably the biggest change is that this is what got payment processors moving towards chip & PIN in the United States.”
Stephen Cobb concurred and added that “one reason the Target breach had such an impact was timing – it happened right before Congress went home for the holidays and constituents were really angry about it. I talked to several members of Congress and their staffers in the following February and it was a very hot topic with them.”
While the use of EMV cards would not have decreased the number of records lost in the Target breach, there was a major push in the days afterwards to “do something” to decrease payment card fraud. Within months of the Target breach and within weeks of the Home Depot breach, President Obama had signed an executive order that was intended to hasten the adoption of chip card technology.
In the two years prior to these breaches, Visa and MasterCard had both announced their plans to compel banks and retail vendors to switch to offering and accepting payment cards that had embedded microchips. The conversion had been progressing slowly and quite reluctantly, but as banks suddenly had significant motivation to update the payment cards of their members, their pace picked up considerably. Many smaller retailers and gas stations are still dragging their feet in accepting EMV cards, even three years after the initial October 2015 liability switch.
Stephen also noted that “the US did not universally embrace chip and PIN, going for chip and signature in many cases. Target itself introduced a branded MasterCard a few years ago and it always requires a PIN”. In fact, all the major credit card companies only just announced this year that they’re moving towards the more secure standard of requiring a PIN.
Supply chain risk
The method that the attackers used to get access to Target’s Point of Sale (PoS) machines was by stealing the credentials of an HVAC supplier who had been accessing Target’s network through an external vendor portal. While this is a detail of the breach that has been discussed extensively within the security practitioner community in the last few years, it’s one that took some time even to permeate experts’ awareness.
David Harley recalled “I guess (or hope) that people in general and certainly the InfoSec community became more aware that it’s not just the security of the companies that you do business with that you should worry about: it’s also the security of other companies that they do business with. A company you consider trustworthy is one thing, but who do they trust? We take it for granted that we live in an interconnected world, but don’t necessarily realize just how extensive those interconnections really are.”
Stephen added, “I don’t remember anyone shouting ‘supply chain risk’ in the immediate aftermath of the Target breach, but I think it is fair to say that the Target breach marked the beginning of a broader awareness of this threat vector.”
In the years after the breach, there has been a greater understanding of the need for more robust authentication options that would have made stolen credentials less useful, and for network segmentation that would have stopped the attacker from pivoting from a less-sensitive area to one with more valuable information.
Because Target is such a popular retailer, and its breach was announced shortly before attacks on other popular retailers, the overwhelming sense was that breaches are not something that happens only to smaller shops. Attacks happen to bigger companies who should have significant defenses, as well as to smaller businesses that may not have specific security expertise. No organization of any size can afford to ignore vulnerabilities on their networks or devices, and the measures put in place to deal with fraud and data breaches affect customers as well.
Cameron Camp stated that “consumers learned to tolerate bank anti-fraud measures that, while not perfect, slow the velocity of money leaking from your account and may give you some modicum of remedy. Large breaches set the stage for banks learning how to deal with threats like this in a more manageable manner. Now that there are more data and therefore experience, they can better know how to respond.”
Stephen noticed this shift as well: “Several surveys indicate that something like 15% to 20% of consumers avoid online shopping and banking these days due to security and privacy fears, and I think that the Target breach was one of the key factors kicking off that trend (another being the Snowden revelations). Anecdotally I see some percentage of people taking one or more steps to limit their payment card exposure, like setting up transaction notifications, but I’m not sure what that percentage is.”
While acquiring sufficient budget and personnel for cybersecurity groups will always be problematic, there was a subtle shift in most executives’ perspective that eventually led to increased spending. The initial forecast for increases in security spending in 2014 was quite rosy, though it seemed that for some, this increase failed to materialize right away. Nevertheless, the increases did eventually come, as executives felt the continued pressure from customers to protect their data.
As Stephen said, “I think it was a much needed wakeup call to get deeply serious about security. Just going through the motions, like buying security products and getting your security tested, was not going to cut it: you need to architect for security, skill up for security, and train for security. If the C-suite is not making security a priority for all departments and all employees, you are at higher risk than your competitors that do prioritize security.”
Cameron echoed this sentiment: “Target came to understand that it’s not enough to just have fire-and-forget, very expensive tech to detect ‘bad things’; that correct configuration and tuning are of the essence.”
In the day-to-day struggles of securing data and devices, it can be easy to forget that there are areas in which we have indeed made progress. By looking back at major milestones, we can see how much has changed in a few years’ time. While we still have a long way to go, we can reconsider the past to strengthen our resolve to make bigger strides towards a more secure future.