Following the news that Target announced regarding it´s recent data breach affecting 110 million customers, here are some thoughts and opinions from security experts on how and why this happened.
Mark Kedgley, CTO at New Net Technologies:
Unfortunately there is nothing new in card data theft. The Target incident is exceptional because the scale of data theft is massive: 40 million card numbers and personal information for 70 million customers. Also of significance is that Target is the third largest retailer in the US. This highlights the need for other retailers to now take a good look at how they are operating PCI DSS measures and consider if they were hit by malware on their POS systems that their AV missed, would their FIM detection and log analysis capabilities alert them to it?
Ilia Kolochenko, CEO at High-Tech Bridge
Until the technical details of the breach are not clear it’s difficult to make any concrete conclusions. However, it’s already the third and probably not the last time the number of affected customers increases.
This fact proves once again that attacks are becoming more and more sophisticated, and even such large companies as Target are not able to detect them and their scope immediately. To avoid such unpleasant situations information security and data privacy should be a part of corporate strategy, and not a “secondary subdivision of IT team”.
Tim ‘TK’ Keanini, CTO at Lancope:
“I think everyone will agree that the disclosure of the breach needs to be much more timely. Given these numbers, it is likely that you or someone you know was a victim of fraud that is directly tied to this incident. This is the way most people experienced the breach as this fraud happened well before they were notified of the incident. Also the level of sophistication in the attack points to state of the art techniques and a well-funded adversary. We have yet to advance our defenses to a state where it is too costly for them to operate but clearly this is where the battle must take place if we are to see any change in their behavior.”
Mark Bower, VP at Voltage Security:
1) “Unfortunately the size, scale and coordination required for this attack illustrate the lengths that attackers will go to. There are two points in the retail chain where attacks typically take place – the POS or the payment switching back end. POS systems are often the weak link–usually running a standard OS and thus subject to exploits and zero-day attacks if exposed to a malware delivery channel such as a browser, a compromised POS management system, patch system or worse, from an insider. In use, POS systems should be isolated from other networks to restrict access to payment data flows, but often are connected to many systems. As a POS and checkout are in constant use especially around high volume periods like Black Friday, they are less frequently patched and updated and thus vulnerable. The good news is that there is a way to prevent this very efficiently. Savvy retailers are already tackling this risk by giving the malware nothing to steal. Point-to-point encryption (P2PE) from the instant the card data is read, addresses this risk by encrypting all the payment card data before it even gets to the POS. If the POS is breached, the data will be useless to the attacker. Tokenization can eliminate live data from post authorization retail processes like warranty and returns yet enable business processes to still operate as before – even at Black Friday scale. No live data means no gold to steal. We’ve helped many thousands of merchants, and their payment gateways and acquirers, to embrace these powerful techniques with no impact on the retail process, yet practically eliminating the possibility of an attack like that Target is dealing with today”
2) “The news of infiltration of IT systems leading to the loss of personal data strongly indicates that the breach is in more than the POS systems, and likely in upstream IT platforms within a line of business. The data stolen in this second wave of reports has the signature of a typical customer loyalty or customer profile database. Unfortunately, while traditional defenses may help with privacy compliance agendas, they don’t often ensure the data is protected from advanced threats of malware in the data center. Even the best prepared organizations can suffer catastrophic data losses of this magnitude by relying on traditional perimeter defenses, data at rest encryption or system monitoring.
Defense strategies today need to focus on the data – business data, payment card data, and personal data. Enterprises need to review the need to have large amounts of sensitive data stored and re-assess access to it in an unprotected format. Most often than not, the business can operate on de-identified data just the same as live information, yet without the risks and consequential fall-out from a data breach. By restricting the exposure of live data to the smallest, well managed footprint, these kinds of risks can be averted before they happen.
Data protection and de-identification can be applied equally in complex retail processing systems, mainframe-centric payment and loyalty processing architectures or in the new risk frontiers of Big Data and Cloud. The approach is proven, economical, and simple. The industry leaders have already embraced this data-centric protection strategy at global scale to take themselves off the attacker radar.”
Phil Lieberman, CEO of Lieberman Software:
“In the USA, customers are indemnified from actual loss due to the breach, so the only suggestion is to keep an eye out for unauthorized transactions and if there are any, they should contact their card issuer to obtain a new card. The only people that should be concerned are those that used their cards at Target.
As to the effect on Target, history has shown that there will probably be no material effect on Target or their stock value. Target will probably provide the required mea culpa and go back to spending a minimum amount of money on IT and security and not really worrying much about the security of their customers (but publicly stating otherwise).
The common industry practice in retail (and many other industries and services) is to spend the absolute minimum amount of money on security and IT in retail as well as outsource as much of their work as possible to the least cost vendor(s). In security, you generally get what you pay for.
Low cost / low price retailers have a real challenge offering their wares at the lowest possible price, but also running their information technology shops properly with a minimal budget. Unfortunately, running a lost cost retailer also sometimes means running a low cost IT shop with minimal security and as shown, inadequate security. Profitability and the cost of goods at highline shops is no guarantee of security, but at least they have no excuse with respect to budgets for security.
The next stage for Target will be a rash of lawsuits brought on by every state in the USA that they operate in by the Attorney Generals of those states on the behalf of their state residents. The credit card issuers will also slam them with massive fines by normal human measurement (nothing of consequence for Target). There will also be the usual gaggle of attorneys who will file class action suits against Target to shake them down for their poor downtrodden clients, but in the end the attorneys will benefit mightily by huge settlements paid for by Target to make the attorneys “go away” with consumers getting, at best crumbs, but probably not even that.
There will also be the usual hand wringing about why the USA still does not have EMV credit cards (chip and PIN/signature).”
Lamar Bailey, Director of security R&D at Tripwire:
“It’s interesting, I see a lot of data about the higher number of customers affected but not much about the data types that were breached, and that is the bigger concern. Reports this morning revealed that customer names, physical addresses and email addresses were stolen. If this is indeed the case the breach was must deeper than originally suspected and it probably effects the website along with the brick and mortar stores.”
Sam Maccherola, VP & General Manager EMEA/APAC at Guidance Software
Target’s immediate priority following the breach will have been to eliminate the immediate threat and ensure that their response to their Incident Response and forensic investigation were thorough and that follow up actions were in accordance with PCI standards and the law. The organisation will now be finding out exactly how and why the attack succeeded, and how it needs to protect itself in the future. This will require ongoing forensic legwork, such as searching through system logs, file system records and other artefacts to find out the sequence and location of events. Components of such an advanced persistent threat may be widely distributed, active or inactive meaning: the hunt will be an ongoing task.
This attack should not cause undue concern in Europe, where chip and pin is in place. Nor should it cause undue anxiety around online purchasing: the security around your web browser and the credit card processors is strong, well understood and the information sent is usually insufficient to allow a card to be cloned for any other purpose than online use. For this purpose, many credit card issuers now offer single use numbers for online use.
Much will be learnt from this attack, both by retailers and POS system providers. Hopefully it will result in a more proactive stance in identifying Advanced Persistent Threats using policy lockdowns, baseline deviation analysis and using the operational assumption that their network is already breached.