After the 2013 data breach of Target's retail systems, which exposed the customer records of over 70 million customers, some of those affected filed a class-action lawsuit against the company. Target recently settled that lawsuit, putting aside a substantial sum of money, and became a rare example of a data breach victim that had to pay damages. This lawsuit should be seen as a warning to other businesses that additional damages could add to the already costly negative PR and direct financial losses poor security controls can cause.
Court documents filed last month in the US District Court of Minnesota show Target has settled a class-action lawsuit put forth by victims of its very public 2013 data breach. According to the documents, as reported by Dark Reading, Target will set aside $10 million in an escrow account to pay claims made against it. Any individual who can prove a direct financial loss as a result of this breach is eligible to claim up to $10,000 from this fund.
Legal experts call the news "surprising," as these types of class-action lawsuits may not be rare, but seeing a judge side with the plaintiffs is. Generally, with all the consumer protection provided by credit card companies, proving direct financial hardship stemming from a loss of information — even if it includes credit card numbers — can be difficult. This case could be a turning point for consumer-facing businesses that suffer cyberattacks, as additional penalties may now be added to the already expensive event.
The interesting aspect of the Target data breach isn't the total lack of security at Target, but rather how a piece of somewhat simple malicious code and a series of mistakes or oversights wound up costing the company tens of millions of dollars and a significant number of customers.
The US Senate Committee on Commerce, Science and Transportation conducted a kill chain analysis based on all the information available at the time. The analysts found trouble began two months prior to the actual breach, when attackers compromised a third-party HVAC vendor that had access to pieces of Target's systems through an online portal. The attackers then used those credentials to access Target's systems, and through a combination of malicious code, poor internal controls and default administrative credentials, they were able to gain access to Target's POS system.
The malicious software would then access the RAM in the POS system to gain unencrypted customer records before hiding the information under the guise of a legitimate program and sending it to an off-shore FTP site. The analysts found it was a combination of poor security controls — such as the use of default credentials, the lack of an FTP whitelist, the lack of segregation between systems, and the ignoring of security software warnings — that caused the incident rather than a single massive mistake.
Following this particular breach kill chain can benefit the CISOs of other corporations worrying about their own security, as it shows how even the smallest of weaknesses can provide a foothold for attackers. There's little doubt Target didn't consider its vendor portals as potential targets before this incident, and it's apparent Target ignored repeated warnings from the FBI and payment card industry about the expansion of RAM-scraping malware targeted at retailers.
For enterprise CISOs, there are two major takeaways from this incident and the resulting fallout. First, security has to be a priority in every application that the business uses. For in-house apps, this means injecting security controls at the earliest phase of the development lifecycle and the utilization of tools designed to ensure common attack vectors are covered. For third-party apps and portals, this means finding a partner that specializes in the security of outsourced code to ensure every piece of software on the network is secure against the most common attacks of the day. This alone could have stopped the scraping malware aimed at Target in its tracks and sent significant warnings when authorized users (using stolen credentials) began doing unauthorized things on the network.
Second, CISOs have to understand there is no stasis in their positions. The technology threatscape is constantly shifting as new vulnerabilities and malware get created, and older threats spring back to life with a vengeance. The only way to confront modern threats is to ensure proper, modern security is present in all used applications and systems, and to stay up-to-date on the current state of information security.
For more on responding to data breaches, check out our webinar.
Photo Source: Flickr