The Target Breach: A Human Security Failure

20 Feb
2014

It appears that the Target data breach may finally be put to rest. After a long and thorough investigation into the method and technologies used by the data thieves to access scores of credit card numbers used in Target’s stores, the answers seem to have been uncovered.

According to Brian Krebs of Krebs on Security and his exhaustive write-up of the subject, the Target data breach occurred through network infiltration made possible by an HVAC contractor in Pennsylvania. This contractor did work in Target’s stores, and thus had access to Target’s contractor billing portal.

In brief, the contractor was targeted in an email phishing and hacking scheme that infected their computers with malware. Then, the contractor’s credentials, gleaned from their network, were used to access Target’s internal contractor billing system. From there, the hackers accessed the server that manages the application, changed their own access permissions, and gained access to Target’s internal networks. Then they uploaded their malware to Target’s POS systems and used them to collect millions of credit card numbers, which were then sold on the black market.

What is striking about this breach, besides the relatively simple method it used to gain access to Target’s systems, is how much of the responsibility comes down to human error and bad security practices.

The first major error was on the part of the HVAC contractor. It’s likely that the entire breach could have been prevented if they had caught the intrusion into their network in time. However, the company was not using proper firewalls and malware protections in their systems, according to investigators. Rather, they were relying on a free home-use version of Malwarebytes which only offered on-demand virus scanning. Because there was no real-time scan capability, the infection was able to slip into the HVAC contractor’s systems and, from there, allow access to Target.

The second error, though, belongs to Target. Though it’s not totally clear yet whether their data security practices were in violation of PCI standards, it is clear that there was not enough authentication to verify access to the contractor payment portal. According to an anonymous source that manages vendors at Target, only those with high clearance were given special security considerations such as two-step verification. Low-level vendors like the HVAC contractor were probably not even given a security assessment before being granted credentials.

In other words, this breach is not really due to a problem with technology. It is possible that chip-and-pin cards would have helped prevent the breach, but it’s not guaranteed: Chip-and-pin systems don’t offer any additional protection against card-not-present fraud, and since the data was lifted from Target’s internal servers, it isn’t clear that encryption and external security measures would have helped either.

The only real protection against data breaches such as the Target breach is to practice strong human security. Employees should be trained on how to recognize potential virus attacks and malware, and security practices should never be implemented because they’re simpler than the alternative. 

Security technology is an important part of the process of keeping data secure, but it is not a silver bullet. Without educated users and high standards in place, thieves will find it just as easy to steal your customer data as they did to steal Target’s. 

TokenEx is a leading tokenization service that allows businesses to secure payment data, HIPAA data, and other PII. Follow TokenEx on LinkedInFacebook and Twitter to get the latest industry information.