Imagine telling a customer that your carelessness allowed hackers to steal their credit card number, home address, and phone number. Imagine doing this 70 million times. Learn how Target dropped the ball and became the victim of the biggest retail hack in US history as well as some ways you can protect your business from experiencing a similar nightmare.
3 Tips for Preventing a Data Breach
Case Study: Target Misses the Mark
On November 30, 2013, six months after retail titan, Target, dropped $1.6 million on CIA-grade FireEye malware detection software, a ring of hackers uploaded exfiltration malware to the company’s security and payments system with the intention of stealing the number of every credit card used at its 1,797 United States stores. Surely, Target, aided by its recently installed malware detection software, stopped the hackers before they achieved their unsavory goal. False. You may find yourself among the one in three Americans who know from personal experience that Target’s proactive efforts to protect its customers from the fallout of a data breach fell catastrophically short in the midst of the holiday shopping season. We retrace Target’s missteps to identify where things took a turn for the worse.
- Target’s First Mistake: Inadequate Security
o The hackers accessed Target’s security and payments system via credit cards stolen from a third party vendor, Pennsylvania refrigeration and heating company, Fazio Mechanical Services. Fazio Mechanical Services insists that its data connection to Target was strictly for billing, contract submission, and project management purposes. Like any standard corporate network, Target’s system is segmented so that information like customer payments is walled off from other parts of the network and most importantly, the open Internet. The ease with which the hackers were able to steal Fazio Mechanical Services’ data suggests that there were cracks in the walls of Target’s system.
- Target’s Second Mistake: Inaction
o Target tasked a team of security specialists in Bangalore, India with monitoring its computers around the clock. If the FireEye malware tool alerted the specialists to any suspicious activity, they were to notify Target’s security operations center in Minneapolis, Minnesota. The security specialists most likely regret their decision to disable a feature that would have allowed the software to automatically delete malware upon detection. The responsibility to delete malware manually proved too much for the team. Members failed to respond to the detection tool’s numerous alerts, giving the hackers ample opportunity to install several versions of the same malware, enabling them to obtain 40 million customers’ credit card numbers as well as 70 million customers’ addresses, phone numbers, and other pieces of personal information over the course of twenty days.
When news of the biggest retail hack in US history broke, its victims were understandably upset. Target faces 90 lawsuits filed by customers and banks seeking compensation for the company’s negligence. Lost trust caused last minute holiday shoppers to take their business elsewhere, prompting Target to launch an internal investigation and public relations campaign which includes offering customers a year of free credit monitoring and identity theft protection. Experts estimate that the ordeal has cost Target up to $450 million in total.
The point of this post is not to kick Target when it is down, but to underscore the severity of the threat a data breach poses to a company’s security, reputation, and ultimately, its survival. As hard as many business owners work to emulateTarget’s extremely successful business model, they should strive to avoid its blunders. SLICE will teach you how!
Protecting Your Business from Experiencing a Data Breach
Data breaches make headlines when they affect large corporations and government institutions. However, these large companies and institutions are far from the only ones hackers target (too soon?).Small businesses, with far less resources to devote to recovery, comprise 31% of data breach incidents. In 2010, the average company lost $214 per compromised record and the total cost of a data breach continues to climb. Follow the tips below to greatly reduce the likelihood of a data breach devastating your business:
- Plan Ahead
We have said it before and we will say it again: develop a comprehensive business continuity plan. With millions of new strains of malware created each year, it is critical that your business continuity plan include a course of action to help your company recover if hackers attack its data. Review your business continuity plan regularly and update it when a new threat to your company emerges so that it is fully equipped to bounce back from any obstacle encountered.
- Keep Your Guard Up
A business continuity plan helps your company weather worst case scenarios. Luckily, many worst case scenarios can be evaded with foresight. If you will recall, the hackers that infiltrated Target’s security and payment system were able to do so because they exploited system vulnerabilities. This is the leading means of hacker incursion, followed by default password violations, SQL injections, and the Target hackers’ next move, malware attacks. Close these avenues to incursion by enforcing unified data protection policies across servers, networks, and endpoints and engaging in SLICE’s area of expertise, core systems protection.
- Make Moves
Despite your best efforts, you may find your business’ data the target of a malware attack. Target’s security specialists had the chance to intervene and stop the hackers in their tracks when the FireEye software first alerted them to the malware, but they did not take it and well, you know the rest…If you find that exfiltration malware has been uploaded to your company’s system, it is not too late to take action! Prevent data breaches in the outbound transmission phase by using your network’s software to block the exfiltration of information.
A wise man on Tumblr once reblogged, “Your best teacher is your last mistake.” An even better teacher to have is another’s mistake! Joking aside, if there is a silver lining to be found in the data breach that befell Target, it is the debacle’s value as a learning experience for business owners. By devising a detailed plan, eliminating system vulnerabilities, and if all else fails, acting fast, you can protect your company from suffering a similar crisis.