Target’s 2013 Data Hack – What Happened and How?

August 30, 2017

Author: Paul Driscoll
Editor: Trevor Kelly

target

Four years ago, the Target Corporation found itself in the crosshairs of dedicated hackers that resulted in one of the largest attacks on a retail chain in recent years. As a result, 40 million Target customers’ records were stolen, and upwards of 70 million further records were compromised. The fallout of this incident was a nationwide lawsuit against the corporation, involving 47 states as well as the District of Columbia. As of May 2017, this legal battle was settled with Target paying out $18.5 million in settlement claims. Apart from the legal costs, Target disclosed that the hack cost the company an estimated $202 million.

Target Corporation claims to yield impressive data security programs that are similarly used by Federal agencies, such as the CIA and the Pentagon, and yet a breach of this magnitude was still successful. Compared to the immediate aftermath of the incident, today we know considerably more about the nature of the hack and, more importantly, how it could have been prevented.

The method of the hack itself was relatively unorthodox, yet clearly effective. Instead of attempting to breach Target’s security measures protecting its databases, malware was instead allowed to infiltrate the company via its point of sale machines. The investigation into this attack discovered that the origin of the malware came from a phishing email that was sent to employees of Fazio Mechanical, an HVAC firm that was hired by Target, and was subsequently downloaded (likely by accident) by an employee.

Despite Fazio’s claims of its security software being in compliance with industry regulations, the investigation revealed that the company’s program of choice, Malwarebytes, was running on a free version. Though effective, the free version of this software lacks many of the processes that could have detected the malware in the first place. When the company was given access to Target’s servers, the malware was able to infiltrate into the corporation’s systems and give hackers all the access they needed to begin stealing valuable customer information.

Though the details surrounding the 2013 Target hacking incident are far more in depth and complicated than this, the common theme is that there were failures on behalf of Fazio Mechanical, as well as Target Corporation, to detect and stop the threat before it could get worse.

In retail settings, there are numerous ways to protect customer and store data as well as prevent possible hacking attacks to occur. The best defense for any company is to maintain up to date virus scan and malware detection software, as well as password protecting Wi-Fi connections and enabling firewall security for the company’s internet. Other useful tips for helping a business better protect itself against malicious attacks can be found in an article by business.com.

As a final note, it should be stressed that although hacking attacks against major corporations, like Target, are rare and get a lot of press when they occur, the most common cyberattacks affect small businesses the most. Small businesses typically lack the financial means to employ the most state of the art malware protection, and can rarely afford to hire professional cyber security experts who can be vigilant in detecting possible threats to company hardware. However, with the useful tips mentioned and by learning about what to look out for, a business, small or large, can better protect itself from being in the crosshairs of hackers.

Back